Quantcast
Channel: Practical 365
Viewing all 543 articles
Browse latest View live

Removing an Auto-Mapped Mailbox from Outlook

April 12, 2017, 11:10 pm
$
0
0

A customer asked about a situation in which they’re unable to remove mailboxes from users’ Outlook profiles. In this case they were shared mailboxes and appeared in the left pane of Outlook. Although this case was for shared mailboxes, the cause and solution apply equally to user mailboxes. This can occur for on-premises Exchange Server and cloud-hosted mailboxes in Exchange Online.

In the Outlook account settings for the user, the shared mailbox does not appear as an additional mailbox.

The reason that the shared mailbox appears in Outlook, but does not appear in the Outlook account settings, is that auto-mapping is enabled by default when a user is granted access to a shared mailbox or to another user’s mailbox. When auto-mapping is enabled, Outlook receives extra information in the Autodiscover response that tells it to open the additional mailbox.

The auto-mapping option can only be configured at the time the permissions are granted. If you want to remove auto-mapping for a user’s access to a shared mailbox, then you must remove their mailbox permissions and then re-add the permissions again. Also, this will need to be performed using PowerShell, because the Exchange Admin Center doesn’t expose the option to enable or disable auto-mapping when configuring mailbox permissions.

To remove and re-add a user’s mailbox permissions using PowerShell, we can use the following steps. First, for an on-premises mailbox open the Exchange Management Shell, or for a cloud mailbox connect to Exchange Online.

Using the example from the screenshot above, the user in question is Adam Wally, and the shared mailbox is named ShareOnPremMailbox. Use Get-MailboxPermission to check that the permissions have been granted as mailbox permissions.

[PS] C:\>Get-MailboxPermission -Identity SharedOnPremMailbox -User Adam.Wally | fl
RunspaceId      : 1af8b9f0-d64e-4cb8-b8e1-e905c6923ed5
AccessRights    : {FullAccess}
Deny            : False
InheritanceType : All
User            : ESPNET\adam.wally
Identity        : exchangeserverpro.net/Company/Head Office/Shared/SharedOnPremMailbox
IsInherited     : False
IsValid         : True
ObjectState     : Unchanged

Next, use Remove-MailboxPermission to remove the mailbox permission for the user.

[PS] C:\>Remove-MailboxPermission -Identity SharedOnPremMailbox -User Adam.Wally -AccessRights FullAccess
Confirm
Are you sure you want to perform this action?
Removing mailbox permission "SharedOnPremMailbox" for user "Adam.Wally" with access rights "'FullAccess'".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): y

Finally, re-add the mailbox permission by running Add-MailboxPermission, this time using the -AutoMapping parameter to disable auto-mapping.

[PS] C:\>Add-MailboxPermission -Identity SharedOnPremMailbox -User Adam.Wally -AccessRights FullAccess -AutoMapping:$false

The change will not immediately be obvious to the end user, because there is a delay before their Outlook client picks up the change via Autodiscover. When Outlook receives the updated Autodiscover response, it will remove the auto-mapped mailbox from the user’s Outlook profile. If the user needs to access the mailbox for anything, they must add it to their profile, or open it via the Outlook File menu.

As a side note, there’s nothing in the Get-MailboxPermission output that will tell you whether a user who has access to a mailbox will be auto-mapped. However, for on-premises mailboxes you can query the Active Directory user object properties to determine who will be auto-mapped to a mailbox. The property that stores this information is named msExchDelegateListLink, and it can be queried using Get-ADUser. For example, to view the list of auto-mapped users for a mailbox named Payroll, we can run the following command.

[PS] C:\>Get-ADUser -Filter {Name -eq "payroll"} -Properties msExchDelegateListLink | Select -ExpandProperty msExchDelegateListLink
CN=Bruce.Thillainayagam,OU=Users,OU=Head Office,OU=Company,DC=exchangeserverpro,DC=net
CN=Alex.Heyne,OU=Users,OU=Branch Office,OU=Company,DC=exchangeserverpro,DC=net

The post Removing an Auto-Mapped Mailbox from Outlook appeared first on Practical 365.

        
Search

Test-ExchangeServerHealth.ps1 Has Been Updated to V1.16

April 13, 2017, 5:31 am
$
0
0

A new version of Test-ExchangeServerHealth.ps1 is now available for download. This update contains the following fixes and improvements:

  • Shadow redundancy queues are no longer included in the transport queue size
  • Recovery DBs are now excluded from all Get-MailboxDatabase commands, to avoid issues running tests against them
  • Content index state of “Autosuspended” (introduced in recent CUs) is now catered for as a healthy state
  • Incorrect reporting of Test-ReplicationHealth results for different versions has been fixed
  • Various formatting, readability and other minor issues fixed

You can download the script from the TechNet Script Gallery. For more information on how to use Test-ExchangeServerHealth.ps1, please refer to this blog post.

The post Test-ExchangeServerHealth.ps1 Has Been Updated to V1.16 appeared first on Practical 365.

Reporting Office 365 Admin Role Group Members

April 17, 2017, 4:06 am
$
0
0

Office 365 allows organizations to delegate administrative privileges in a granular fashion. There is an over-arching “Global Administrator” role, as well as a series of lower privilege roles for specific administrative tasks. A partial list of the admin roles is visible in the user management area of the Office 365 admin portal.

That’s not the complete list though. There’s several other administrative and non-administrative roles in Office 365. While looking for a complete list, I happen to stumble across some differences between how the old MSOnline PowerShell module reports the list of roles, compared to the new AzureAD PowerShell module. Get-MsolRole returns 30 groups, while Get-AzureADDirectoryRoleTemplate returns 34 groups. I’ve highlighted the differences in the table below.

It’s good practice to review the membership of admin groups on a regular basis, to make sure that only those users who require admin privileges in your tenant actually have them, and nobody else has sneaked in there and been forgotten.

If you’re familiar with the Exchange RBAC permissions model you will notice that none of the Exchange RBAC roles are included in that list above. If you want to report on those you can use my RBAC role group membership report script.

You should also be aware that if you’re using Get-AzureADDirectoryRole as the equivalent cmdlet to Get-MsolRole, the Get-AzureADDirectoryRole cmdlet only returns roles that have been enabled. It seems that a role becomes enabled when you first add a user to the role, or when an admin enables the role using the Enable-AzureADDirectoryRoleTemplate cmdlet. Since the point of this exercise is to report on membership of Office 365 roles, I’m going to use Get-AzureADDirectoryRole as the basis of a PowerShell script, which will effectively ignore roles that have not been enabled yet.

If you just want to download the reporting script, go to the end of this blog post.

To begin with, let’s look at the output of Get-AzureADDirectoryRole for one of my tenants.

PS C:\> Get-AzureADDirectoryRole
ObjectId                             DisplayName
--------                             -----------
1e5b0ce4-381f-4554-93fc-1fdea462c7eb Billing Administrator
32554153-2f11-43f0-aadc-0c3c0e9540c6 CRM Service Administrator
4d7ba3db-b65c-46f8-8fc5-8f5803e7809c Company Administrator
5a12811f-e5d4-4794-b9e7-a604b3881a26 Lync Service Administrator
67780c9d-4aa7-4ff5-986f-c04b07b70546 Power BI Service Administrator
7cbef213-fcb9-43b5-8b65-eee6dd79e2f4 Service Support Administrator
83c85103-dd8e-4d24-bd17-922fc40dd7d4 Directory Readers
a75585d4-38b8-4e14-9a40-8f694cb4164f User Account Administrator
ad9c6fdb-d8c9-4c57-9b2d-070f75bc30db Helpdesk Administrator
daaca1b7-f6f2-4cbb-82e4-f8adcfcdd02e Exchange Service Administrator
e58f4d04-b5fc-406b-a2bd-cc114499ac53 SharePoint Service Administrator
e7b328f2-2839-400c-ac6a-299c2487aa16 Directory Writers
f603a44f-df89-4a46-89b1-aedfe5f52ce8 Directory Synchronization Accounts
fde1b62b-4d9d-4a1b-96ca-381266264055 Device Administrators

To see the membership of a role, such as Company Administrator (which is the same as Global Administrator when you’re editing a user’s roles in the Office 365 admin portal), we need to run Get-AzureADDirectoryRoleMember and supply the ObjectId.

PS C:\> Get-AzureADDirectoryRoleMember -ObjectId 4d7ba3db-b65c-46f8-8fc5-8f5803e7809c
ObjectId                             DisplayName     UserPrincipalName
--------                             -----------     -----------------
8db8b044-b825-4456-b6f7-3994f9296872 Paul Cunningham admin@exchangeserverpro.onmicrosoft.com
b2149a88-327c-4f61-afb5-f8a7374f6d28 Paul Cunningham paul_domain#EXT#@exchangeserverpro.onmicrosoft.com

The standard output looks different depending on the role that you’re querying. For example, Directory Readers looks like this.

PS C:\Scripts> Get-AzureADDirectoryRoleMember -ObjectId 83c85103-dd8e-4d24-bd17-922fc40dd7d4
ObjectId                             AppId                                DisplayName
--------                             -----                                -----------
a6bb4c6f-657c-439f-8b52-9ca3dee1b5fd 00000009-0000-0000-c000-000000000000 Microsoft.Azure.AnalysisServices
fc7627c0-4b51-4bfc-8ea1-0a9dd14644d2 00000005-0000-0ff1-ce00-000000000000 Microsoft.YammerEnterprise
1b6f4fb3-25c5-43c6-b414-77da6ec221a1 0711fa10-367d-4adb-93fd-123456789000 O365SecureScore
c462bdd3-b0e3-4737-9b5a-6939e31dd4e2 2dd1318c-77a5-44df-9bd8-123456788999 CiraSync Contact Management
e365650e-697d-498e-bdc9-046e81fe9103 0000001a-0000-0000-c000-000000000000 MicrosoftAzureActiveAuthn

The properties that are returned are also different, depending on the type of object that is a member of the group. Users have properties such as JobTitle, Mail, and PasswordPolicies. Service principals (such as the Office 365 Secure Score service) have properties such as AppId, Homepage, and Oauth2Permissions. Both types of objects have common properties such as ObjectType and DisplayName though, so reporting on both types of objects together is not too difficult.

For this script I’m going to report on:

  • DisplayName
  • ObjectType
  • AccountEnabled
  • UserPrincipalName (for users)
  • Homepage (for service principals)
  • PasswordPolicies (for users)

PS C:\> Get-AzureADDirectoryRoleMember -ObjectId 4d7ba3db-b65c-46f8-8fc5-8f5803e7809c | Select DisplayName,ObjectType,Ac
countEnabled,UserPrincipalName,HomePage,PasswordPolicies
DisplayName       : Paul Cunningham
ObjectType        : User
AccountEnabled    : True
UserPrincipalName : admin@exchangeserverpro.onmicrosoft.com
HomePage          :
PasswordPolicies  : DisablePasswordExpiration
DisplayName       : Paul Cunningham
ObjectType        : User
AccountEnabled    : True
UserPrincipalName : paul_domain#EXT#@exchangeserverpro.onmicrosoft.com
HomePage          :
PasswordPolicies  : None

Retrieving that information for the members of an admin group/role is not difficult, as you can see above. To generate a full report it’s really just a matter of looping through the roles, collect the desired info, and present it in a readable format for the report. I’ve chosen to used CSV as the file format. You can then load the CSV into Excel to filter and sort the data as required.

This script, Get-O365AdminGroupsReport.ps1, relies on the AzureAD PowerShell module. If you do not have the module installed the script will throw an error. You can install the AzureAD module from the PowerShell Gallery.

To use the script, simply run the following command and you’ll be prompted to authenticate to Azure AD.

PS C:\Scripts> .\Get-O365AdminGroupsReport.ps1

To see script progress, use the -Verbose switch.

PS C:\Scripts> .\Get-O365AdminGroupsReport.ps1 -Verbose

The script will output a CSV file named Office365AdminGroupMembers-ddMMyyyy.csv, where “ddMMyyyy” is the current date (e.g. 17042017). If the file already exists, a unique string of characters is added to the filename.

There are two optional parameters that you can use to change the output behavior:

  • ReportFile – You can provide a custom output file name. The file name you specify will be modified with the current date, for example MyReportFileName.csv will become MyReportFileName-ddMMyyyy.csv. If a file of the same name exists, a unique character string will also be appended to the file name.
  • Overwrite – Overwrites an existing report file of the same name, instead of appending a unique character string.

You can download Get-O365AdminGroupsReport.ps1 from the TechNet Script Gallery.

The post Reporting Office 365 Admin Role Group Members appeared first on Practical 365.

        

Mailbox Permissions vs Mailbox Folder Permissions

April 25, 2017, 6:46 pm
$
0
0

When you are granting access for one user to access another mailbox, whether that be another user’s mailbox or a shared mailbox, you can configure the access using either mailbox permissions or mailbox folder permissions. The two approaches are suitable for different scenarios.

Mailbox Permissions

Mailbox permissions are used to grant access to an entire mailbox. Every folder within the mailbox, whether it be the Inbox, Calendar, or Contacts, allows the same level of access, when mailbox permissions are used.

The access granted through mailbox permissions is “Full Access”, meaning that the user can read, write, edit, create, delete, and so on.

When you assign mailbox permissions, you have the option to enable or disable auto-mapping. Auto-mapping will automatically connect Outlook users to mailboxes that they have been granted mailbox permissions to. This happens through Autodiscover, and Auto-mapping is enabled by default. When you grant a user mailbox permission to another mailbox you can optionally disable auto-mapping, in which case the user needs to manually open or add the mailbox to their Outlook profile.

However, Auto-mapping only works if you grant mailbox permissions to a user directly. If you grant mailbox permissions to a security group that the user is a member of, they’ll get access to the mailbox but auto-mapping won’t work at all.

More info:

Mailbox Folder Permissions

Mailbox Folder Permissions grant access to specific mailbox folders only. So if you grant a user permissions to the Inbox, they won’t get access to the Calendar as well.

Mailbox Folder Permissions can actually be configured by the mailbox owner themselves using Outlook. But administrators can do it as well, and are usually asked to handle it for the users anyway, especially for shared mailboxes.

When you use mailbox folder permissions, there’s a lot more control for the level of access granted. You can grant full access, or editor access, or reviewer access (which is like Read Only access). It’s not an all or nothing approach.

As a potential downside though, when you configure mailbox folder permissions, auto-mapping is not used at all. Users will always need to manually add mailboxes to their Outlook profile, if their access has been granted using mailbox folder permissions.

A common usage of mailbox folder permissions is granting read-only access to a specific mailbox folder. This can be achieved by granting a user the Reviewer role for the folder. Reviewer allows read access to the mailbox folder items, but no other access (e.g. the user can’t create items or delete existing items).

More info:

The post Mailbox Permissions vs Mailbox Folder Permissions appeared first on Practical 365.

First Steps: Configuring Office 365 Groups Settings

April 27, 2017, 4:19 am
$
0
0

Groups are a collaboration feature of Office 365 that allow teams to work together using a shared mailbox, calendar, SharePoint file repository, and OneNote notebook. Office 365 Groups are also a membership service for other applications such as Planner, Teams, and StaffHub. Groups should not be confused with security groups (which control access/permissions to resources) or distribution groups (which are used to distribute email to multiple recipients, although Groups can also do this).

Groups are enabled by default for Office 365 tenants, and Group creation is also enabled for any user in the organization. This allows users to create a Group for their team to collaborate, or create a team in Teams, or start using Planner, without any interaction from the IT department. It’s the type of freedom that many modern workplaces thrive on.

However there are also environments where complete openness and free reign on Groups usage is a problem. Shortly after Groups first appeared in Office 365 a systems engineer at a large university commented to me that their students starting creating hundreds of Groups with no real purpose. Some of the Groups were named specifically to make a joke or insult another person, knowing that the Group would appear in the Outlook address book and be visible to everyone.

There is also the recent controversy over Microsoft’s plans to implement automatic Group creation in Office 365 based on manager/reports relationships in Active Directory. The roll out of that change has slowed down so that more testing can be performed, and more feedback can be gathered, but at this stage it is still intended for the change to go ahead in the near future.

With those issues in mind, there are two configurations to look at:

  • The settings that control Group creation by users.
  • The setting that controls automatic Group creation based on manager/reports relationships.

Managing Office 365 Groups Settings

In the past the Groups controls have been applied using OWA mailbox policies to allow or disallow the creation of Groups. This approach was fine when Groups were primarily created and used via Outlook. But Groups is a feature that spans many Office 365 services (e.g. as mentioned earlier, Teams and Planner use Groups). So the OWA mailbox policy approach was only effective in preventing creation of Groups via Outlook, and would not prevent Groups from being created via other workloads (e.g. when a new Planner plan is created).

Eventually a tenant-wide control was added, and could be managed using PowerShell. However, this required a specific preview build of the MS Online PowerShell module (also known as Azure Active Directory Module V1). Getting the right build installed just to perform one configuration task was a bit frustrating, but fortunately only necessary as a one-time change (unless you wanted to modify the config again later on).

Fortunately, the controls are now coming to the Azure Active Directory Module V2, which I’ll just refer to here as the AzureAD module. As I’m writing this the necessary cmdlets are available in the AzureADPreview module, which can happily coexist with the AzureAD on the same computer if necessary. You can check the PowerShell Gallery page for the AzureAD module to find out if the cmdlets used in the demos below (Get-AzureADDirectorySetting, Get-AzureADDirectorySettingTemplate, etc) are included yet. If not, use the AzureADPreview module.

To get started, install the AzureAD or AzureADPreview module on your management workstation.

PS C:\> Install-Module AzureAD

Next, use connect to Azure AD for your tenant, and then run Get-AzureADDirectorySetting to check for existing settings.

PS C:\> Connect-AzureAD
PS C:\> Get-AzureADDirectorySetting

Note, if you have both PowerShell modules installed and want to explicitly use the AzureADPreview module, run the following command to connect.

PS C:\> AzureADPreview\Connect-AzureAD

If you see no output from Get-AzureADDirectorySetting then there are no settings currently in place. However, if you see an entry that uses the TemplateId of 62375ab9-6b52-47ed-826b-58e47e0e304b with a DisplayName of Group.Unified, then you have an existing Groups settings configuration in place.

PS C:\> Get-AzureADDirectorySetting
Id                                   DisplayName   TemplateId                           Values
--                                   -----------   ----------                           ------
d9ac5e4f-f76e-4b0d-838e-d40aa97741fd Group.Unified 62375ab9-6b52-47ed-826b-58e47e0e304b {class SettingValue {...

To view the settings, run Get-AzureADDirectorySetting for the Id of your settings object, which in my example is d9ac5e4f-f76e-4b0d-838e-d40aa97741fd.

PS C:\> (Get-AzureADDirectorySetting -id d9ac5e4f-f76e-4b0d-838e-d40aa97741fd).Values
Name                          Value
----                          -----
ClassificationDescriptions
DefaultClassification
PrefixSuffixNamingRequirement
AllowGuestsToBeGroupOwner     False
AllowGuestsToAccessGroups     True
GuestUsageGuidelinesUrl
GroupCreationAllowedGroupId   489c22bb-beba-4915-80b0-85c85f4c64e8
AllowToAddGuests              True
UsageGuidelinesUrl
ClassificationList
EnableGroupCreation           False

In the example above, Group creation is disabled except for members of the Group with Id 489c22bb-beba-4915-80b0-85c85f4c64e8, which is a group named Groups Admins in my tenant.

PS C:\> Get-AzureADGroup -ObjectId 489c22bb-beba-4915-80b0-85c85f4c64e8
ObjectId                             DisplayName   Description
--------                             -----------   -----------
489c22bb-beba-4915-80b0-85c85f4c64e8 Groups Admins

From here there’s a few different ways to go, depending on the outcome that you want to achieve. For this article I’ll demonstrate:

  • How to update an existing Groups settings configuration
  • How to remove an existing Groups settings configuration
  • How to configure Groups settings if no settings are already in place

How to Update an Existing Groups Settings Configuration

In the example shown above there is already a Groups settings configuration in place. For this demonstration I’ll modify the configuration so that Groups creation is available for all users, instead of being restricted to the members of one security group. The steps are:

  1. Retrieve the existing directory settings into an object
  2. Update the properties of the object
  3. Set the directory settings with the new object properties

PS C:\> $GroupsConfig = Get-AzureADDirectorySetting -Id d9ac5e4f-f76e-4b0d-838e-d40aa97741fd
PS C:\> $GroupsConfig["GroupCreationAllowedGroupId"] = $null
PS C:\> $GroupsConfig["EnableGroupCreation"] = $true
PS C:\> Set-AzureADDirectorySetting -Id d9ac5e4f-f76e-4b0d-838e-d40aa97741fd -DirectorySetting $GroupsConfig
PS C:\> (Get-AzureADDirectorySetting -id d9ac5e4f-f76e-4b0d-838e-d40aa97741fd).Values
Name                          Value
----                          -----
ClassificationDescriptions
DefaultClassification
PrefixSuffixNamingRequirement
AllowGuestsToBeGroupOwner     False
AllowGuestsToAccessGroups     True
GuestUsageGuidelinesUrl
GroupCreationAllowedGroupId
AllowToAddGuests              True
UsageGuidelinesUrl
ClassificationList
EnableGroupCreation           True

Remove an Existing Groups Settings Configuration

If you’d prefer to just remove the settings entirely and let Office 365 apply the default Groups settings to your tenant, then you can do that by running the following command.

PS C:\> Remove-AzureADDirectorySetting -Id d9ac5e4f-f76e-4b0d-838e-d40aa97741fd

Configure Groups Settings for Office 365

If you have no Groups settings configuration already in place, you can create a new one with the controls that you want for your organization. The controls that are available include:

  • EnableGroupCreation – this can be configured to True or False, and controls whether users who do not have admin rights can create Groups.
  • GroupCreationAllowedGroupId – this can be configured with the Guid of a security group that will be allowed to create Groups when EnableGroupCreation is set to False.
  • UsageGuidelinesUrl – a link to Groups usage guidelines for your organization. This could be the URL of an intranet page that informs users about how to effectively use Groups for collaboration.
  • ClassificationList – a comma-delimited list of classifications that can be applied to Groups, such as Internal Only, Confidential, Public, or any other classifications that are part of your information architecture. These classifications are a visual cue for your users to understand the nature of the information in the Group, but are not actually enforced by Office 365.
  • DefaultClassification – the default classification that will be applied if the Group owner or an administrator has not applied a classification yet.
  • AllowGuestsToAccessGroups – controls whether external users will be allowed to have access to Groups content. Note that external access to all Groups-based applications is not currently available (e.g. Teams does not support external/guest access at this time).
  • AllowGuestsToBeGroupOwner – controls whether an external user can be made the owner of a Group.
  • GuestUsageGuidelinesUrl – same as the UsageGuidelinesUrl but applies to guest users. Logically this would be an externally-accessible URL.
  • AllowToAddGuests – controls whether guests can be added at all.

Other settings for DefaultClassification, ClassificationDescriptions, and PrefixSuffixNamingRequirement are all slated for future releases.

For this example we’ll apply a Groups settings configuration that:

  • Enables Group creation for end users
  • Makes classifications of Internal Only, Confidential, and Public available
  • Disallows guest access
  • Links to an intranet page for Group usage guidelines

The steps are:

  1. Create a new settings object based on the available Group.Unified template
  2. Configure the desired settings in the settings object
  3. Set the Azure AD directory settings using the settings object

PS C:\> $GroupsConfig = (Get-AzureADDirectorySettingTemplate -Id 62375ab9-6b52-47ed-826b-58e47e0e304b).CreateDirectorySetting()
PS C:\> $GroupsConfig["AllowToAddGuests"] = $false
PS C:\> $GroupsConfig["AllowGuestsToAccessGroups"] = $false
PS C:\> $GroupsConfig["ClassificationList"] = "Internal Only,Confidential,Public"
PS C:\> $GroupsConfig["UsageGuidelinesUrl"] = "https://intranet/help-desk/groups-guidelines"
PS C:\> New-AzureADDirectorySetting -DirectorySetting $GroupsConfig

Note that there was no need to set EnableGroupCreation to True in the above commands because that is already the default value.

Configuring Automatic Group Creation Settings

In March 2017 Microsoft announced a change to Office 365 that will automatically create Groups based on manager/reports relationships in Active Directory. There are some conditions that Microsoft will be applying to determine whether a Group should be created for a manager and their team of direct reports, which you can read more about here.

If your organization wants to prevent the automatic Group creation from occurring, you can disable it by connecting to Exchange Online using PowerShell, and then running the following command.

PS C:\> Set-OrganizationConfig -DirectReportsGroupAutoCreationEnabled:$false

Summary

Office 365 Groups are a useful feature that customers can use for team collaboration. However, some organizations will need to control how Groups are created, or prevent them from being created at all, in order to comply with their own internal IT requirements. Every organization should at least check the Groups settings for their tenant to ensure they meet their expectations.

The post First Steps: Configuring Office 365 Groups Settings appeared first on Practical 365.

What’s New in Office 365 for April 2017

April 28, 2017, 5:14 am
$
0
0

Office 365 for IT Pros, 3rd Edition is continually updated with new information, changes and corrections. Customers who bought the book from this website can download the updated files from their purchase history. Updates applied to the Amazon Kindle version are available through your Kindle library after they are approved by Amazon.

During April Microsoft has launched quite a few new apps and features in Office 365. The new To-Do app is available in Preview, and is built by the same team that created Wunderlist (acquired by Microsoft in 2015). Wunderlist lives on while features are added to To-Do, but will eventually be shut down. As a preview release To-Do is a basic personal task list app with a few nice features such as the “My day” list of tasks. To-Do integrates with Outlook tasks but doesn’t integrate with tasks from other services like Planner or SharePoint.

Outlook Customer Manager, which is a lightweight CRM for Outlook users released last November, is now rolling out to Office 365 Business Premium customers around the world, and is also now being added to Outlook for iOS for mobile access. Interestingly it also adds the ability to delegate the scheduling of customer meetings to Cortana. It will be interesting to see the results of that. AI-driven scheduling could be very efficient, but on the other hand there’s bound to be someone who gets offended at the lack of personal interaction.

In Security and Compliance Land the new Office 365 Threat Intelligence features have just arrived in my tenant. Threat Intelligence, available for Enterprise E5 tenants or as a separate add-on license, combines threat information gleaned from industry reports, telemetry from Microsoft’s cloud services, and analytics from within your own tenant to provide you with what Microsoft refers to as “actionable intelligence”. I’m still exploring this in my own tenant, but the idea is that you can look at reports such as malware detection, identity users in your organization who are being targeted, or creates alerts when a user has been targeted by malware.

Custom sensitive information types have also been added to the Security and Compliance Center. If you’ve worked with Exchange Data Loss Prevention (DLP) in the past then you might already be familiar with the process of creating definitions based on regex or keywords to meet specific DLP requirements that aren’t covered by the built-in functionality. Creating a sensitive information type involves authoring a specially formatted XML file that is imported using PowerShell, so it’s not a simple task. But the good news is if you’ve already invested the time to define sensitive information types in your Exchange Online DLP configuration, they’ll be ported automatically to the Security and Compliance Center for use across all workloads.

A new enhanced reporting dashboard has also been added to the Security and Compliance Center. Everybody loves a good dashboard.

Office 365 Groups receives another big round of updates and improvements, including:

  • The addition of guest management controls in the Office 365 admin portal and Exchange Admin Center. You can add existing guest users to Groups, or remove them. But at this stage you can’t invite new guests to your organization.
  • In a big step forward for compliance, Groups can now have retention policies applied to them. Tony Redmond walks through the new capabilities, including a few gotchas to be aware of, in his article on Petri.
  • The ability to upgrade Exchange distribution lists to Office 365 Groups has been added as a one-click option for distribution list owners. PowerShell scripts have also been provided for bulk conversions. Only cloud-managed, non-nested distribution lists that have no moderation or send-on-behalf settings, aren’t hidden from address lists, and only contain user mailboxes, team mailboxes, shared mailboxes, or mail users can be upgraded. That narrows the use case quite a bit, but should result in more adoption of Groups by customers.
  • Groups access has also been added to the latest Outlook for iOS and Android apps, as well as Outlook for Mac. The standalone Groups mobile apps will remain available as well until Outlook has full support for Group files, calendars, and notebooks.
  • The New-UnifiedGroup cmdlet has been modified to remove the SuppressWarmupMessage when creating new Groups, apparently due to confusion over its purpose.

Office 365 ProPlus received big news in April:

  • Advanced Threat Protection (ATP) Safe Links has been added to Office applications. Now when users in ATP-enabled tenants click on hyperlinks in documents, the links will receive the same checking that Safe Links performs on links in emails. However, unlike emails, the links themselves are not rewritten in the documents. The experience so far has been a little rough for me, with multiple timeouts on the link checks, but it seems to be improving.
  • The update model for Office 365 ProPlus is changing to align with Windows 10 updates. There will now be two updates to Office 365 ProPlus per year instead of three, with the updates targeted for March and September. Support for each release is being extended from 12 months to 18 months as well. These changes should take some of the pressure off support staff who are trying to manage deployment and updates across large fleets of desktops. As part of the change, the update channels for Office 365 ProPlus are being renamed, again. For example, from September 2017 the Current Channel will now be called the Monthly Channel, and the Deferred Channel will be called the Semi-annual Channel (Broad). I don’t think the names are an improvement but I guess they were deemed necessary.

In other Office 365 news:

The post What’s New in Office 365 for April 2017 appeared first on Practical 365.

        

Managing Office 365 Licenses with the Azure AD V2 PowerShell Module

May 1, 2017, 8:31 pm
$
0
0

In Office 365 we have three methods of managing license assignments for individual or multiple user accounts.

The Office 365 admin portal provides a simple web interface for managing license assignments. It’s easy to add a license for a user, or for multiple users, enable or disable sub-SKU features (the individual services that are included in a license), or remove a license. Licenses for multiple users can be managed at the same time. This method is useful for ad-hoc license management, or for bulk assigning licenses when you first provision an Office 365 tenant. The web interface is friendly for even a non-technical user, so license management tasks can be delegated to people outside of IT support if necessary.

Azure Active Directory group-based licensing, which I wrote about here, simplifies license management by mapping license assignments to groups. License management for end users is then a simple task of adding or removing users in groups, and doesn’t require the ongoing use of Office 365 management tools.

In this article I’m going to demonstrate how to manage Office 365 licenses using PowerShell. This is more complex than either of the previous methods, but is useful for automating license assignments as part of a user provisioning process. PowerShell is also a good method for querying license usage and generating your own custom reports for license consumption, which can help you to manage your costs over time.

We’ll look at:

The Azure AD V2 PowerShell Module

License management in Office 365 is performed using the Azure Active Directory PowerShell module. The first version of this PowerShell module is also known as the MS Online module, and uses cmdlets with “Msol” in the name, for example Connect-MsolService and Get-MsolUser.

While the MS Online module is still available today, it will be deprecated in the near future. A new Azure Active Directory PowerShell V2 module has been developed to replace it. This module is also known as the Azure AD module. The Azure AD module uses the Office 365 Graph API to interact with Office 365. Microsoft aims to migrate the functionality of the MS Online module to the Azure AD module, and recommends that you use Azure AD for any script development. In this blog post I will demonstrate license management using the Azure AD module.

The Azure AD module is installed using PowerShellGet, which is included with Windows Management Framework (WPF) 5.0 (PowerShell 5.0). Windows 10 and Windows Server 2012 R2 or later ship with PowerShell 5.0 installed by default, which means that PowerShellGet is already available. For earlier operating systems, you’ll either need to upgrade to WMF 5.0, or install PowerShellGet for PowerShell 3.0 or 4.0. Some applications such as Exchange Server are sensitive to changes in the version of WMF that is installed on the system, so you should not upgrade WMF until you’ve verified that all your installed software will continue to work

PS C:\> Install-Module AzureAD

After the Azure AD module is installed you can connect to your Office 365 tenant by running the Connect-AzureAD cmdlet, and then entering your admin credentials when prompted. The Azure AD module supports the use of multi-factor authentication (MFA).

PS C:\> Connect-AzureAD

To explore the available cmdlets in the Azure AD module, run the following command.

PS C:\> Get-Command -Module AzureAD

As a side note, Connect-AzureAD will work with stored credentials function as long as your account does not require MFA or you’re connecting from a network that allows MFA to be bypassed.

PS C:\> Connect-AzureAD -Credential (Get-StoredCredential -UserName admin@exchangeserverpro.onmicrosoft.com)

Listing Available Licenses

The Get-AzureADSubscribedSku cmdlet is used to query the licenses that your organization has subscribed to in Office 365.

PS C:\> Get-AzureADSubscribedSku | Select Sku*,*Units
SkuId                                SkuPartNumber  ConsumedUnits PrepaidUnits
-----                                -------------  ------------- ------------
6fd2c87f-b296-42f0-b197-1e91e994b900 ENTERPRISEPACK            14 class LicenseUnitsDetail {...
efccb6f7-5641-4e0e-bd10-b4976e1bf68e EMS                        2 class LicenseUnitsDetail {...

A more detailed view of the licenses that are enabled and consumed is available by expanding the PrepaidUnits property.

PS C:\> Get-AzureADSubscribedSku | Select -Property Sku*,ConsumedUnits -ExpandProperty PrepaidUnits
SkuId         : 6fd2c87f-b296-42f0-b197-1e91e994b900
SkuPartNumber : ENTERPRISEPACK
ConsumedUnits : 17
Enabled       : 25
Suspended     : 0
Warning       : 0
SkuId         : efccb6f7-5641-4e0e-bd10-b4976e1bf68e
SkuPartNumber : EMS
ConsumedUnits : 2
Enabled       : 5
Suspended     : 0
Warning       : 0

In the output above we can see that my tenant has 25 “ENTERPRISEPACK” licenses, and 5 “EMS” licenses. The SkuPartNumber for each does not precisely match the name of the license that you’ll see in Office 365 documentation or in the license management sections of the Office 365 admin portal. For example, ENTERPRISEPACK is the SkuPartNumber for the Enterprise E3 license, while EMS is the SkuPartNumber for the Enterprise Mobility and Security E3 license. A complete list of part numbers and friendly names isn’t available on Microsoft online documentation sites, although with a little searching and common sense you can usually work out what they mean. If there’s any confusion, opening a support ticket with Microsoft will get you the answers you need.

The individual license features and services, also referred to as sub-SKU features, can also be inspected. As with the SkuPartNumber values, the ServicePlanName values are not a match for the friendly names that you see in the Office 365 or Azure admin portals, but names like SWAY, POWERAPPS_O365_P2, and EXCHANGE_S_ENTERPRISE are obvious. Others are not so obvious, such as MCOSTANDARD (Skype for Business Online), but again some searching online will usually clear up any confusion.

PS C:\> $licenses = Get-AzureADSubscribedSku
PS C:\> $licenses[0].SkuPartNumber
ENTERPRISEPACK
PS C:\> $licenses[0].ServicePlans
AppliesTo ProvisioningStatus ServicePlanId                        ServicePlanName
--------- ------------------ -------------                        ---------------
User      Success            8c7d2df8-86f0-4902-b2ed-a0458298f3b3 Deskless
User      Success            76846ad7-7776-4c40-a281-a386362dd1b9 FLOW_O365_P2
User      Success            c68f8d98-5534-41c8-bf36-22fa496fa792 POWERAPPS_O365_P2
User      Success            57ff2da0-773e-42df-b2af-ffb7a2317929 TEAMS1
User      Success            b737dad2-2f6c-4c65-90e3-ca563267e8b9 PROJECTWORKMANAGEMENT
User      Success            a23b959c-7ce8-4e57-9140-b90eb88a9e97 SWAY
Company   Success            882e1d05-acd1-4ccb-8708-6ee03664b117 INTUNE_O365
User      Success            7547a3fe-08ee-4ccb-b430-5077c5041653 YAMMER_ENTERPRISE
User      Success            bea4c11e-220a-4e6d-8eb8-8ea15d019f90 RMS_S_ENTERPRISE
User      Success            43de0ff5-c92c-492b-9116-175376d08c38 OFFICESUBSCRIPTION
User      Success            0feaeb32-d00e-4d66-bd5a-43b5b83db82c MCOSTANDARD
User      Success            e95bec33-7c88-4a70-8e19-b10bd9d0c014 SHAREPOINTWAC
User      Success            5dbe027f-2339-4123-9542-606e4d348a72 SHAREPOINTENTERPRISE
User      Success            efb87545-963c-4e0d-99df-69c6916d9eb0 EXCHANGE_S_ENTERPRISE
PS C:\> $licenses[1].SkuPartNumber
EMS
PS C:\> $licenses[1].ServicePlans
AppliesTo ProvisioningStatus ServicePlanId                        ServicePlanName
--------- ------------------ -------------                        ---------------
User      Success            6c57d4b6-3b23-47a5-9bc9-69f17b4947b3 RMS_S_PREMIUM
User      Success            c1ec4a95-1f05-45b3-a911-aa3fa01094f5 INTUNE_A
User      Success            bea4c11e-220a-4e6d-8eb8-8ea15d019f90 RMS_S_ENTERPRISE
User      Success            41781fb2-bc02-4b7c-bd55-b576c07bb09d AAD_PREMIUM
User      Success            8a256a2b-b617-496d-b51b-e76466e88db0 MFA_PREMIUM

Querying License Assignments for User Accounts

There are two user properties that reveal the license assignments for a user. The first is the AssignedLicenses property, which can be retrieved using Get-AzureADUser.

PS C:\> Get-AzureADUser -SearchString jane.tulley@exchangeserverpro.net | Select -ExpandProperty AssignedLicenses
DisabledPlans                          SkuId
-------------                          -----
{7547a3fe-08ee-4ccb-b430-5077c5041653} 6fd2c87f-b296-42f0-b197-1e91e994b900

In the output above we can see the SkuId of the license that is assigned to the user. The matching license can be found by running Get-AzureADSubscribedSku, which in the ouput below we can see is the ENTERPRISEPACK license (Enterprise E3).

PS C:\> Get-AzureADSubscribedSku | Where {$_.SkuId -eq "6fd2c87f-b296-42f0-b197-1e91e994b900"}
ObjectId                                                                  SkuPartNumber
--------                                                                  -------------
2b9bca49-687e-4e5f-8a52-21350b719b06_6fd2c87f-b296-42f0-b197-1e91e994b900 ENTERPRISEPACK

The Get-AzureADUser output shown above also reveals the DisabledPlans property. This property contains the ServicePlanId values of the sub-SKU features that have been disabled for the user. There are two ways to match those ServicePlanId values to the actual names of the sub-SKU features. The first is to use the output of Get-AzureADSubscribedSku to view the ServicePlanId values for the individual services, as demonstrated earlier. For the example of Jane Tulley, the ID of the disabled plan is “7547a3fe-08ee-4ccb-b430-5077c5041653”, which is YAMMER_ENTERPRISE in the list of service plans for the ENTERPRISEPACK license.

The other approach is to look at the AssignedPlans property of the user.

PS C:\> Get-AzureADUser -SearchString jane.tulley@exchangeserverpro.net | Select -ExpandProperty AssignedPlans
AssignedTimestamp     CapabilityStatus Service                       ServicePlanId
-----------------     ---------------- -------                       -------------
1/05/2017 11:01:50 AM Enabled          PowerAppsService              c68f8d98-5534-41c8-bf36-22fa496fa792
1/05/2017 11:01:50 AM Enabled          ProcessSimple                 76846ad7-7776-4c40-a281-a386362dd1b9
1/05/2017 11:01:50 AM Enabled          RMSOnline                     bea4c11e-220a-4e6d-8eb8-8ea15d019f90
1/05/2017 11:01:50 AM Enabled          Deskless                      8c7d2df8-86f0-4902-b2ed-a0458298f3b3
1/05/2017 11:01:50 AM Enabled          Sway                          a23b959c-7ce8-4e57-9140-b90eb88a9e97
27/02/2017 5:43:09 AM Enabled          TeamspaceAPI                  57ff2da0-773e-42df-b2af-ffb7a2317929
27/02/2017 5:40:56 AM Suspended        YammerEnterprise              7547a3fe-08ee-4ccb-b430-5077c5041653
19/01/2017 6:24:33 AM Enabled          exchange                      efb87545-963c-4e0d-99df-69c6916d9eb0
19/01/2017 6:24:33 AM Enabled          SharePoint                    5dbe027f-2339-4123-9542-606e4d348a72
19/01/2017 6:24:33 AM Enabled          SharePoint                    e95bec33-7c88-4a70-8e19-b10bd9d0c014
19/01/2017 6:24:33 AM Enabled          MicrosoftCommunicationsOnline 0feaeb32-d00e-4d66-bd5a-43b5b83db82c
19/01/2017 6:24:33 AM Enabled          MicrosoftOffice               43de0ff5-c92c-492b-9116-175376d08c38
19/01/2017 6:24:33 AM Enabled          ProjectWorkManagement         b737dad2-2f6c-4c65-90e3-ca563267e8b9

In the output above we can see that the “YammerEnterprise” service is suspended, and has a ServicePlanId matching the ID in the list of DisabledPlans we saw earlier.

You will also notice that the service names returned in the Get-AzureADUser output do always not match the service plan names returned in the Get-AzureADSubscribedSku output. For example, Get-AzureADUser shows a service name of “TeamspaceAPI” whereas Get-AzureADSubscribedSku shows the same service as “TEAMS1”. These differences are mildly irritating but do reinforce the idea that you should match two difference pieces of data by the ServicePlanId, not by the friendly name, whenever you are running PowerShell cmdlets or writing scripts to manage your licenses.

For administrators who are familiar with using the MS Online PowerShell module to manage licenses, there is one minor difference to be aware of. The Get-AzureADUser and Get-MsolUser cmdlets return slightly different information for the same user object. Get-AzureADUser will only return sub-SKU features that are Enabled, Deleted or Suspended, whereas Get-MsolUser will return the status of all sub-SKU features. Here’s an example, using an account where I’ve disabled several sub-SKU features to demonstrate the differences in cmdlet output.

PS C:\> Get-AzureADUser -SearchString aisha.bhari@exchangeserverpro.net | Select -ExpandProperty AssignedPlans
AssignedTimestamp     CapabilityStatus Service               ServicePlanId
-----------------     ---------------- -------               -------------
1/05/2017 11:12:19 AM Enabled          SharePoint            5dbe027f-2339-4123-9542-606e4d348a72
1/05/2017 11:12:19 AM Enabled          SharePoint            e95bec33-7c88-4a70-8e19-b10bd9d0c014
1/05/2017 11:12:19 AM Enabled          MicrosoftOffice       43de0ff5-c92c-492b-9116-175376d08c38
1/05/2017 11:12:19 AM Enabled          ProjectWorkManagement b737dad2-2f6c-4c65-90e3-ca563267e8b9
1/05/2017 11:12:19 AM Enabled          TeamspaceAPI          57ff2da0-773e-42df-b2af-ffb7a2317929
1/05/2017 11:12:19 AM Enabled          PowerAppsService      c68f8d98-5534-41c8-bf36-22fa496fa792
1/05/2017 11:12:19 AM Enabled          ProcessSimple         76846ad7-7776-4c40-a281-a386362dd1b9
PS C:\> (Get-MsolUser -UserPrincipalName aisha.bhari@exchangeserverpro.net).Licenses[0].ServiceStatus
ServicePlan           ProvisioningStatus
-----------           ------------------
Deskless              Disabled
FLOW_O365_P2          Success
POWERAPPS_O365_P2     Success
TEAMS1                Success
PROJECTWORKMANAGEMENT Success
SWAY                  Disabled
INTUNE_O365           Success
YAMMER_ENTERPRISE     Disabled
RMS_S_ENTERPRISE      Disabled
OFFICESUBSCRIPTION    Success
MCOSTANDARD           Disabled
SHAREPOINTWAC         Success
SHAREPOINTENTERPRISE  Success
EXCHANGE_S_ENTERPRISE Disabled

Assigning a Single License Using PowerShell

The Set-AzureADUserLicense cmdlet assigns and removes Office 365 licenses to user accounts. A simple example is assigning a license to a new user account. Before assigning the license, the usage location of the account also needs to be configure. The license assignment process involves a series of steps to:

  1. Create an assigned license (singular) object
  2. Add the assigned license object to another object representing the assigned licenses (plural)
  3. Run Set-AzureADUserLicense and provide the value for the assigned licenses (plural)

To perform those steps we need to know the ObjectId of the user account, and the SkuId of the license.

PS C:\> Get-AzureADSubscribedSku | Select Sku*
SkuId                                SkuPartNumber
-----                                -------------
6fd2c87f-b296-42f0-b197-1e91e994b900 ENTERPRISEPACK
efccb6f7-5641-4e0e-bd10-b4976e1bf68e EMS
PS C:\> $User = Get-AzureADUser -SearchString sharon.butler@exchangeserverpro.net
PS C:\> $user
ObjectId                             DisplayName   UserPrincipalName                   UserType
--------                             -----------   -----------------                   --------
9930a287-640e-4670-a2ae-2ba3eb5fca33 Sharon Butler Sharon.Butler@exchangeserverpro.net Member

Now we can go ahead and create the license assignment.

PS C:\> Set-AzureADUser -ObjectId $User.ObjectId -UsageLocation AU
PS C:\> $License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense
PS C:\> $License.SkuId = "6fd2c87f-b296-42f0-b197-1e91e994b900"
PS C:\> $LicensesToAssign = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses
PS C:\> $LicensesToAssign.AddLicenses = $License
PS C:\> Set-AzureADUserLicense -ObjectId $User.ObjectId -AssignedLicenses $LicensesToAssign

The user now has a single license SKU assigned, and the plans for that license are enabled.

PS C:\> Get-AzureADUser -ObjectId $User.ObjectId | Select -ExpandProperty AssignedLicenses
DisabledPlans SkuId
------------- -----
{}            6fd2c87f-b296-42f0-b197-1e91e994b900
PS C:\> Get-AzureADUser -ObjectId $User.ObjectId | Select -ExpandProperty AssignedPlans
AssignedTimestamp    CapabilityStatus Service                       ServicePlanId
-----------------    ---------------- -------                       -------------
2/05/2017 2:41:26 AM Enabled          TeamspaceAPI                  57ff2da0-773e-42df-b2af-ffb7a2317929
2/05/2017 2:41:26 AM Enabled          MicrosoftCommunicationsOnline 0feaeb32-d00e-4d66-bd5a-43b5b83db82c
2/05/2017 2:41:26 AM Enabled          PowerAppsService              c68f8d98-5534-41c8-bf36-22fa496fa792
2/05/2017 2:41:26 AM Enabled          ProcessSimple                 76846ad7-7776-4c40-a281-a386362dd1b9
2/05/2017 2:41:26 AM Enabled          SharePoint                    e95bec33-7c88-4a70-8e19-b10bd9d0c014
2/05/2017 2:41:26 AM Enabled          ProjectWorkManagement         b737dad2-2f6c-4c65-90e3-ca563267e8b9
2/05/2017 2:41:26 AM Enabled          RMSOnline                     bea4c11e-220a-4e6d-8eb8-8ea15d019f90
2/05/2017 2:41:26 AM Enabled          SharePoint                    5dbe027f-2339-4123-9542-606e4d348a72
2/05/2017 2:41:26 AM Enabled          YammerEnterprise              7547a3fe-08ee-4ccb-b430-5077c5041653
2/05/2017 2:41:26 AM Enabled          Deskless                      8c7d2df8-86f0-4902-b2ed-a0458298f3b3
2/05/2017 2:41:26 AM Enabled          MicrosoftOffice               43de0ff5-c92c-492b-9116-175376d08c38
2/05/2017 2:41:26 AM Enabled          Sway                          a23b959c-7ce8-4e57-9140-b90eb88a9e97
2/05/2017 2:41:26 AM Enabled          exchange                      efb87545-963c-4e0d-99df-69c6916d9eb0

Assigning Multiple Licenses Using PowerShell

Using the same steps as above you can assign an additional license to a user. For example, if we wanted to add the EMS license to the user who is already licensed for Enterprise E3, we could simply re-run the steps above using the SkuId for the EMS license.

If you would like to assign multiple licenses at the same time you can do so with just a small modification to the process. Remember, we’re creating an assigned license (singular) object, and adding it to an assigned licenses (plural) object. We can add multiple assigned license (singular) objects by repeating those commands. Here’s an example of licensing a user for Enterprise E3 and EMS at the same time.

PS C:\> $User = Get-AzureAdUser -SearchString vik.kirby@exchangeserverpro.net
PS C:\> Set-AzureADUser -ObjectId $User.ObjectId -UsageLocation AU
PS C:\> $E3License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense
PS C:\> $EMSLicense = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense
PS C:\> $E3License.SkuId = "6fd2c87f-b296-42f0-b197-1e91e994b900"
PS C:\> $EMSLicense.SkuId = "efccb6f7-5641-4e0e-bd10-b4976e1bf68e"
PS C:\> $LicensesToAssign = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses
PS C:\> $LicensesToAssign.AddLicenses = $E3License,$EMSLicense
PS C:\> Set-AzureADUserLicense -ObjectId $User.ObjectId -AssignedLicenses $LicensesToAssign
PS C:\> Get-AzureADUser -ObjectId $User.ObjectId | Select -ExpandProperty AssignedPlans

The user now has multiple license SKUs assigned, and the services for both of those SKUs are enabled.

PS C:\> Get-AzureADUser -ObjectId $User.ObjectId | Select -ExpandProperty AssignedLicenses
DisabledPlans SkuId
------------- -----
{}            efccb6f7-5641-4e0e-bd10-b4976e1bf68e
{}            6fd2c87f-b296-42f0-b197-1e91e994b900
PS C:\> Get-AzureADUser -ObjectId $User.ObjectId | Select -ExpandProperty AssignedPlans
AssignedTimestamp    CapabilityStatus Service                       ServicePlanId
-----------------    ---------------- -------                       -------------
2/05/2017 2:39:08 AM Enabled          TeamspaceAPI                  57ff2da0-773e-42df-b2af-ffb7a2317929
2/05/2017 2:39:08 AM Enabled          MicrosoftCommunicationsOnline 0feaeb32-d00e-4d66-bd5a-43b5b83db82c
2/05/2017 2:39:08 AM Enabled          PowerAppsService              c68f8d98-5534-41c8-bf36-22fa496fa792
2/05/2017 2:39:08 AM Enabled          AADPremiumService             41781fb2-bc02-4b7c-bd55-b576c07bb09d
2/05/2017 2:39:08 AM Enabled          ProcessSimple                 76846ad7-7776-4c40-a281-a386362dd1b9
2/05/2017 2:39:08 AM Enabled          SharePoint                    e95bec33-7c88-4a70-8e19-b10bd9d0c014
2/05/2017 2:39:08 AM Enabled          ProjectWorkManagement         b737dad2-2f6c-4c65-90e3-ca563267e8b9
2/05/2017 2:39:08 AM Enabled          RMSOnline                     bea4c11e-220a-4e6d-8eb8-8ea15d019f90
2/05/2017 2:39:08 AM Enabled          RMSOnline                     6c57d4b6-3b23-47a5-9bc9-69f17b4947b3
2/05/2017 2:39:08 AM Enabled          SharePoint                    5dbe027f-2339-4123-9542-606e4d348a72
2/05/2017 2:39:08 AM Enabled          YammerEnterprise              7547a3fe-08ee-4ccb-b430-5077c5041653
2/05/2017 2:39:08 AM Enabled          Deskless                      8c7d2df8-86f0-4902-b2ed-a0458298f3b3
2/05/2017 2:39:08 AM Enabled          MultiFactorService            8a256a2b-b617-496d-b51b-e76466e88db0
2/05/2017 2:39:08 AM Enabled          MicrosoftOffice               43de0ff5-c92c-492b-9116-175376d08c38
2/05/2017 2:39:08 AM Enabled          Sway                          a23b959c-7ce8-4e57-9140-b90eb88a9e97
2/05/2017 2:39:08 AM Enabled          SCO                           c1ec4a95-1f05-45b3-a911-aa3fa01094f5
2/05/2017 2:39:08 AM Enabled          exchange                      efb87545-963c-4e0d-99df-69c6916d9eb0

In the output above you might notice that Intune, which is included with the EMS license, is not listed as a service. This is another example of how Get-AzureADUser doesn’t show services that are not in an enabled, suspended, or deleted state. Intune requires activation for the user, and is in a “PendingInput” state when the license is initially assigned to the user as you can see in the Get-MsolUser output below.

PS C:\> Get-MsolUser -UserPrincipalName vik.kirby@exchangeserverpro.net | Select -ExpandProperty Licenses | Select -Expa
ndProperty ServiceStatus
ServicePlan           ProvisioningStatus
-----------           ------------------
RMS_S_PREMIUM         Success
INTUNE_A              PendingInput
RMS_S_ENTERPRISE      Success
AAD_PREMIUM           Success
MFA_PREMIUM           Success
...

Assigning Licenses with Sub-SKU Features Disabled

Office 365 licenses such as Enterprise E3 and E5 allow access to multiple services and applications. For some organizations it is required to disable some of the features of a license, either because the feature should not be used in that environment, or simply to manage a staged roll out and adoption of Office 365 features.

To assign a license with sub-SKU features disabled we use the same process demonstrated earlier, but this time we need to configure the license object with enable and disabled plans before applying the license to the user. For this example I’ll assign an E3 license but only enabled the Exchange Online mailbox and the Office 365 ProPlus applications.

PS C:\> $User = Get-AzureADUser -SearchString blake.johnson@exchangeserverpro.net
PS C:\> Set-AzureADUser -ObjectId $User.ObjectId -UsageLocation AU
PS C:\> $SkuFeaturesToEnable = @("EXCHANGE_S_ENTERPRISE","OFFICESUBSCRIPTION")
PS C:\> $StandardLicense = Get-AzureADSubscribedSku | Where {$_.SkuId -eq "6fd2c87f-b296-42f0-b197-1e91e994b900"}
PS C:\> $SkuFeaturesToDisable = $StandardLicense.ServicePlans | ForEach-Object { $_ | Where {$_.ServicePlanName -notin $SkuFeaturesToEnable }}
PS C:\> $License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense
PS C:\> $License.SkuId = $StandardLicense.SkuId
PS C:\> $License.DisabledPlans = $SkuFeaturesToDisable.ServicePlanId
PS C:\> $LicensesToAssign = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses
PS C:\> $LicensesToAssign.AddLicenses = $License
PS C:\> Set-AzureADUserLicense -ObjectId $User.ObjectId -AssignedLicenses $LicensesToAssign

The user now has the license SKU assigned, but with multiple disabled plans. Only the two enabled features are showing as enabled services for the user as well.

PS C:\> Get-AzureADUser -ObjectId $User.ObjectId | Select -ExpandProperty AssignedLicenses | fl
DisabledPlans : {8c7d2df8-86f0-4902-b2ed-a0458298f3b3, 76846ad7-7776-4c40-a281-a386362dd1b9,
                c68f8d98-5534-41c8-bf36-22fa496fa792, 57ff2da0-773e-42df-b2af-ffb7a2317929...}
SkuId         : 6fd2c87f-b296-42f0-b197-1e91e994b900
PS C:\> Get-AzureADUser -ObjectId $User.ObjectId | Select -ExpandProperty AssignedPlans
AssignedTimestamp    CapabilityStatus Service         ServicePlanId
-----------------    ---------------- -------         -------------
2/05/2017 2:58:15 AM Enabled          MicrosoftOffice 43de0ff5-c92c-492b-9116-175376d08c38
2/05/2017 2:58:15 AM Enabled          exchange        efb87545-963c-4e0d-99df-69c6916d9eb0

Removing Licenses Using PowerShell

For the final demonstration in this article let’s look at how to remove an assigned license using PowerShell. The Set-AzureADUserLicense cmdlet is used for this task, and the process is similar to adding a license. The difference is that when creating the assigned licenses (plural) object we use RemoveLicenses instead of AddLicenses, and provide only the SkuId instead of the full license object.

PS C:\> $User = Get-AzureAdUser -SearchString sue.cooper@exchangeserverpro.net 
PS C:\> $License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense
PS C:\> $License.SkuId = "6fd2c87f-b296-42f0-b197-1e91e994b900"
PS C:\> $LicensesToAssign = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses
PS C:\> $LicensesToAssign.AddLicenses = @()
PS C:\> $LicensesToAssign.RemoveLicenses = $License.SkuId
PS C:\> Set-AzureADUserLicense -ObjectId $User.ObjectId -AssignedLicenses $LicensesToAssign

The user has now had each of the previously licensed features marked as deleted due to the license being removed.

PS C:\> Get-AzureADUser -ObjectId $User.ObjectId | Select -ExpandProperty AssignedPlans
AssignedTimestamp    CapabilityStatus Service                       ServicePlanId
-----------------    ---------------- -------                       -------------
2/05/2017 3:08:16 AM Deleted          TeamspaceAPI                  57ff2da0-773e-42df-b2af-ffb7a2317929
2/05/2017 3:08:16 AM Deleted          MicrosoftCommunicationsOnline 0feaeb32-d00e-4d66-bd5a-43b5b83db82c
2/05/2017 3:08:16 AM Deleted          PowerAppsService              c68f8d98-5534-41c8-bf36-22fa496fa792
2/05/2017 3:08:16 AM Deleted          ProcessSimple                 76846ad7-7776-4c40-a281-a386362dd1b9
2/05/2017 3:08:16 AM Deleted          SharePoint                    e95bec33-7c88-4a70-8e19-b10bd9d0c014
2/05/2017 3:08:16 AM Deleted          ProjectWorkManagement         b737dad2-2f6c-4c65-90e3-ca563267e8b9
2/05/2017 3:08:16 AM Deleted          RMSOnline                     bea4c11e-220a-4e6d-8eb8-8ea15d019f90
2/05/2017 3:08:16 AM Deleted          SharePoint                    5dbe027f-2339-4123-9542-606e4d348a72
2/05/2017 3:08:16 AM Deleted          YammerEnterprise              7547a3fe-08ee-4ccb-b430-5077c5041653
2/05/2017 3:08:16 AM Deleted          Deskless                      8c7d2df8-86f0-4902-b2ed-a0458298f3b3
2/05/2017 3:08:16 AM Deleted          MicrosoftOffice               43de0ff5-c92c-492b-9116-175376d08c38
2/05/2017 3:08:16 AM Deleted          Sway                          a23b959c-7ce8-4e57-9140-b90eb88a9e97
2/05/2017 3:08:16 AM Deleted          exchange                      efb87545-963c-4e0d-99df-69c6916d9eb0

Summary

As you can see, managing Office 365 licenses with the Azure AD V2 PowerShell module is a complex task at first, but once you’ve performed the steps a few times it should become much more comfortable. Azure AD group-based license management is simpler, but won’t fit everyone’s needs. Using PowerShell to manage licenses like this will suit organizations who want to automated license assignments into other processes. The use of the Graph API also means you can ignore the Azure AD module itself and write custom code to interact with the REST API to perform the same tasks. That is out of scope of this blog post, but it’s something you can explore if custom development and integration into third party systems is a requirement for you.

The post Managing Office 365 Licenses with the Azure AD V2 PowerShell Module appeared first on Practical 365.

Controlling Exchange Online Mailbox Features with Mailbox Plans

May 8, 2017, 10:45 pm
$
0
0

When an Exchange Online mailbox is created in Office 365 it has all of the mailbox features and protocols enabled by default. This makes sense for the average Office 365 customer who doesn’t want to fiddle with settings to get basic functionality like email on mobile devices to work. But it is less suited for enterprises that have specific requirements for mailbox features that their users should have access to. For example, a business might decide that POP and IMAP access to mailboxes should be disabled by default, and only enabled for specific cases.

For some time we’ve had access to configure mailbox plans for Exchange Online mailboxes. Each tenant has a pre-configured set of mailbox plans that you can see by connecting to Exchange Online with PowerShell and running the Get-MailboxPlan cmdlet.

PS C:\> Get-MailboxPlan | Select Name,IsDefault
Name                                                          IsDefault
----                                                          ---------
ExchangeOnline-095c913d-92fa-42bf-8943-48439432cd00               False
ExchangeOnlineDeskless-bbae14c5-e979-420b-988b-7105d6efa9f3       False
ExchangeOnlineEnterprise-d9a554dc-79a1-41a9-a238-fc3f27ee8f97      True
ExchangeOnlineEssentials-a5e5ae5a-e03e-400b-8f1d-aa723a5902ff     False

There’s been cases in the past where modifying mailbox plans was necessary to take advantage of new Office 365 capabilities. For example, two years ago Microsoft increased the maximum email message size for Exchange Online to 150MB, but kept the default maximum message size set to 35MB. To increase the maximum message size for your existing mailboxes you needed to run a Set-Mailbox command. To increase the maximum message size for newly created mailboxes you needed to modify the mailbox plan.

Now Microsoft is rolling out further enhancements to mailbox plans, per the Office 365 road map.

A limited set of configuration options are available for modifying mailbox plans, which we can see by looking at the parameters for the Set-MailboxPlan cmdlet.

PS C:\> (get-command set-mailboxplan).Parameters
Key                      Value
---                      -----
ErrorAction              System.Management.Automation.ParameterMetadata
IssueWarningQuota        System.Management.Automation.ParameterMetadata
Force                    System.Management.Automation.ParameterMetadata
MaxSendSize              System.Management.Automation.ParameterMetadata
RoleAssignmentPolicy     System.Management.Automation.ParameterMetadata
OutVariable              System.Management.Automation.ParameterMetadata
WhatIf                   System.Management.Automation.ParameterMetadata
Verbose                  System.Management.Automation.ParameterMetadata
RetentionPolicy          System.Management.Automation.ParameterMetadata
WarningVariable          System.Management.Automation.ParameterMetadata
Debug                    System.Management.Automation.ParameterMetadata
Confirm                  System.Management.Automation.ParameterMetadata
ProhibitSendQuota        System.Management.Automation.ParameterMetadata
OutBuffer                System.Management.Automation.ParameterMetadata
ErrorVariable            System.Management.Automation.ParameterMetadata
Identity                 System.Management.Automation.ParameterMetadata
RetainDeletedItemsFor    System.Management.Automation.ParameterMetadata
ProhibitSendReceiveQuota System.Management.Automation.ParameterMetadata
WarningAction            System.Management.Automation.ParameterMetadata
MaxReceiveSize           System.Management.Automation.ParameterMetadata
IsDefault                System.Management.Automation.ParameterMetadata
AsJob                    System.Management.Automation.ParameterMetadata

Stripping out the non-generic parameters from the output above, we see that Set-MailboxPlan can be used to configure these settings for newly created mailboxes:

  • IssueWarningQuota
  • ProhibitSendReceiveQuota
  • ProhibitSendQuota
  • MaxSendSize
  • MaxReceiveSize
  • RoleAssignmentPolicy
  • RetentionPolicy
  • RetainDeletedItemsFor

There’s quite a few more parameters listed on the Set-MailboxPlan documentation on TechNet, but most of them a reserved for internal Microsoft use. Whether more of them become available to customers in future is unknown.

Another cmdlet, Set-CASMailboxPlan, can also be used to pre-configure mailbox properties. While Set-MailboxPlan manages settings that are otherwise configured by the Set-Mailbox cmdlet, the Set-CASMailboxPlan cmdlet manages settings that are otherwise configured by Set-CASMailbox. This basically includes mailbox access options, such as whether specific mailbox protocols are enabled or not.

The parameters that are currently available for Set-CASMailboxPlan are:

PS C:\> (get-command set-casmailboxplan).Parameters
Key               Value
---               -----
ErrorAction       System.Management.Automation.ParameterMetadata
ImapEnabled       System.Management.Automation.ParameterMetadata
Verbose           System.Management.Automation.ParameterMetadata
OwaMailboxPolicy  System.Management.Automation.ParameterMetadata
OutVariable       System.Management.Automation.ParameterMetadata
WarningVariable   System.Management.Automation.ParameterMetadata
Debug             System.Management.Automation.ParameterMetadata
Confirm           System.Management.Automation.ParameterMetadata
ErrorVariable     System.Management.Automation.ParameterMetadata
Identity          System.Management.Automation.ParameterMetadata
OutBuffer         System.Management.Automation.ParameterMetadata
WarningAction     System.Management.Automation.ParameterMetadata
PopEnabled        System.Management.Automation.ParameterMetadata
ActiveSyncEnabled System.Management.Automation.ParameterMetadata
WhatIf            System.Management.Automation.ParameterMetadata
AsJob             System.Management.Automation.ParameterMetadata

Again, stripping out the generic PowerShell parameters leaves us with these options:

  • IMAPEnabled
  • OWAMailboxPolicy
  • POPEnabled
  • ActiveSyncEnabled

Many more parameters of Set-CASMailboxPlan are reserved for internal Microsoft use, including useful parameters like setting EWS block lists.

As with mailbox plans, each tenant is pre-configured with a set of CAS mailbox plans that you can view by running Get-CASMailboxPlan.

PS C:\> Get-CASMailboxPlan | Select Name,IsDefault
Name                                                          IsDefault
----                                                          ---------
ExchangeOnline-095c913d-92fa-42bf-8943-48439432cd00
ExchangeOnlineDeskless-bbae14c5-e979-420b-988b-7105d6efa9f3
ExchangeOnlineEnterprise-d9a554dc-79a1-41a9-a238-fc3f27ee8f97
ExchangeOnlineEssentials-a5e5ae5a-e03e-400b-8f1d-aa723a5902ff

There is no IsDefault property for CAS mailbox plans, unlike mailbox plans. However the names and GUIDs match, and I assume that when a mailbox plan is assigned to a mailbox that the matching CAS mailbox plan is also applied. There is little sense in de-coupling the two.

As with mailbox plans, CAS mailbox plans take effect for newly created mailboxes, not for existing mailboxes. For example, let’s take a look at the IMAP protocol status for the existing mailbox user Jane Tulley.

PS C:\> Get-CASMailbox Jane.Tulley | Select Imap*
ImapEnabled                             : True
ImapUseProtocolDefaults                 : True
ImapMessagesRetrievalMimeFormat         : BestBodyFormat
ImapEnableExactRFC822Size               : False
ImapSuppressReadReceipt                 : False
ImapForceICalForCalendarRetrievalOption : False

The IMAP protocol is enabled for Jane’s mailbox. If we then set the CAS mailbox plan to disable IMAP, it has no effect on Jane as an existing mailbox user.

PS C:\> set-CASMailboxPlan ExchangeOnlineEnterprise-d9a554dc-79a1-41a9-a238-fc3f27ee8f97 -ImapEnabled:$false
PS C:\> Get-CASMailbox Jane.Tulley | Select Imap*
ImapEnabled                             : True
ImapUseProtocolDefaults                 : True
ImapMessagesRetrievalMimeFormat         : BestBodyFormat
ImapEnableExactRFC822Size               : False
ImapSuppressReadReceipt                 : False
ImapForceICalForCalendarRetrievalOption : False

For a mailbox created after the CAS mailbox plan was modified, the IMAP protocol is disabled.

PS C:\> Get-CASMailbox TestUser10 | Select Imap*
ImapEnabled                             : False
ImapUseProtocolDefaults                 : True
ImapMessagesRetrievalMimeFormat         : BestBodyFormat
ImapEnableExactRFC822Size               : False
ImapSuppressReadReceipt                 : False
ImapForceICalForCalendarRetrievalOption : False

What this means is that you can use mailbox plans and CAS mailbox plans to control how your newly created mailboxes are configured, at least for a limited set of options. However you can’t use mailbox plans to roll out broad changes to mailbox configurations. For that you will need to write your own PowerShell commands or scripts to make the changes to existing mailboxes. Also, mailbox plans can’t be relied upon to re-enforce mailbox configurations to ensure they remain compliant with your organization’s policies. For that you will need to write your own scripts to scan and remediate any mailbox configurations that drift away from your desired settings.

The post Controlling Exchange Online Mailbox Features with Mailbox Plans appeared first on Practical 365.

Search

Help Test the .NET Framework Checks for Exchange Analyzer

May 15, 2017, 11:08 pm
$
0
0

One of the tests that was developed earlier in the life of Exchange Analyzer looked at the version of .NET Framework installed on the server to determine if it was supported with the version of Exchange running on the server. After that test was originally written the support matrix for Exchange and .NET Framework became more complex. The test was not providing accurate guidance and was removed from Exchange Analyzer.

The version of .NET Framework running on your Exchange server is very important for performance and stability reasons, so adding the test back to Exchange Analyzer has been on my to-do list since it was removed. This week I’ve rewritten the test so that it should be accurate today, and maintainable in future as the support matrix changes.

However, it’s difficult to test this one thoroughly because there are so many possible combinations of Exchange Server and .NET Framework that are supported, not to mention all the unsupported ones. So I need some help, and that’s where you come in. I would appreciate some testers to give this new version a try before it is released publicly.

If you’re willing to test this new Exchange Analyzer version, please download a Zip file of the branch here.

The normal instructions for running Exchange Analyzer apply, which you can find here. But you should make sure you update your copy of the ExchangeAnalyzer module on your PC or server where you are running this updated version from. You’ll see new sections in the report for the .NET Framework support status, highlighted in the screenshot below.

After running your test please leave a comment below if the report was accurate. If you think that there was a problem with the results please email your report and script output to feedback@exchangeanalyzer.com.

The post Help Test the .NET Framework Checks for Exchange Analyzer appeared first on Practical 365.

Exchange Analyzer v0.2.5 Released

May 17, 2017, 9:41 pm
$
0
0

A new build of Exchange Analyzer is available, which includes the following fixes and improvements:

  • Rewritten .NET Framework test added back
  • Fix for bug in number formatting when reporting number of hours since last DB backup
  • Update to Wiki base URL for “More Info” links in report
  • Rewrite of POP3 and IMAP4 service status tests to use helper function, now reports startup modes of services
  • Other general code cleanups

Download the latest build here.

The next development milestone is targeting a v1.0.0 release.

The post Exchange Analyzer v0.2.5 Released appeared first on Practical 365.

Comparing Solutions for Mobile Device and Application Management in Office 365

May 18, 2017, 6:03 am
$
0
0

As our business workforce becomes more mobile every year, and security risks for corporate data increase, it’s important to consider how you will manage mobility for your organization. Office 365 customers have a choice of solutions that can be used for mobile device management (MDM) and mobile application management (MAM). Each has different features available, with different strengths and weaknesses.

Some of the considerations that come into play include which devices and operating systems will need to be managed, and who will own those devices (BYOD vs corporate). We also need to consider whether non-Microsoft applications such as SaaS apps or custom business apps need to be managed. Diversity in the user population is also an important consideration. For some organizations a single approach to mobility is required, whereas other needs to apply different policies and configurations to different groups of uses. Specific compliance requirements are also important, as some organizations fall under strict government or industry regulations.

The solutions that we can choose from are:

  • Exchange ActiveSync
  • Office 365 MDM
  • Microsoft Intune

In addition to those Microsoft solutions there’s an extensive range of third party mobility solutions provided by other vendors. For this article I’m going to focus solely on the Microsoft solutions, but as part of your own assessment you should certainly evaluate third party options as well.

Exchange ActiveSync

Exchange ActiveSync has been available for mobile device management since the very early days of on-premises Exchange Server, and it is also available in Exchange Online. ActiveSync provides a basic MDM solution that allows you to configure policies that devices should comply with before they allowed to connect to Exchange mailboxes. The policies cover basic device security options such as PIN/passcode strength, encrypted storage, and some features such as cameras. However, ActiveSync relies on the device honestly reporting its own compliance with the policy, so it’s not a guarantee that the policy requirements will actually be met.

There are also ActiveSync controls for either allowing, blocking, or quarantining (ABQ) a device or application based on characteristics such as the device family, operating system, or specific device IDs. You can read more about the ABQ process here.

For Office 365 customers ActiveSync is a quick and easy way to access email on mobile devices. As long as you have configured the Autodiscover records in DNS when you set up your Office 365 tenant (Microsoft provides the exact DNS records to use), mobile devices will be able to connect to Exchange Online mailboxes.

In fact, even devices that are not secured with a PIN or passcode will be able to connect, because the default mobile device policy in Office 365 is quite weak. If you plan to use ActiveSync for mobility you should review those policy settings and consider strengthening the policy requirements for devices.

One of the long-standing weaknesses of ActiveSync has been the inability to perform selective wipes. If a remote wipe was issued to an ActiveSync device, the entire device would be wiped and the user could potentially lose personal data. This became less of a problem once applications such as Touchdown or Outlook for iOS and Android became available, because the application itself became the “device” as far as Exchange Online is concerned. Any remote wipe issued to the application would only erase application data, not the entire mobile device. Microsoft made further investments in the development of the ActiveSync protocol and released EAS 16.1 which includes the ability to perform selective wipes (or “account-only wipes“) for compatible devices. Apple added support for EAS 16.1 in iOS 10.

ActiveSync works for connectivity to Exchange Online mailboxes for email, calendar, contacts, notes and tasks. ActiveSync is not used for other Office 365 workloads such as SharePoint, OneDrive, Planner, Teams, and so on. If your users are licensed only for an Exchange Online mailbox then you might consider ActiveSync to be a suitable solution. If you are using more features of Office 365 than just Exchange Online, then you should consider securing mobile access using Office 365 MDM or Microsoft Intune.

Office 365 MDM

Office 365 includes a mobile device management capability that extends beyond what ActiveSync can provide. Office 365 MDM is included free with Office 365 business and enterprise subscriptions. While ActiveSync takes a device-centric approach to mobile device management, and only works for Exchange Online, Office 365 MDM is able to enforce management and security policies on devices and applications that are access other Office 365 workloads as well, for example OneDrive for Business. MDM policies can also be targeted at groups for ease of management.

The security settings that can be applied include the same PIN/passcode and device encryption options as ActiveSync provides, with additional detection of “jail broken” or “rooted” mobile devices. Office 365 MDM is also capable of managing the email profile on iOS devices and block users from creating their own profiles.

Selective wipes are also available in Office 365 MDM. Even though ActiveSync can perform account-only wipes for devices that are compatible with EAS 16.1, that still leaves a large number of older devices and applications among the user population that are not compatible. Office 365 MDM can perform selective wipes without the requirement of EAS 16.1 compatibility. However, very old devices are not compatible with Office 365 MDM at all. The current supported devices include:

  • iOS 7.1 or later
  • Android 4 or later
  • Windows Phone 8.1 or later
  • Windows 8.1 and 8.1 RT (limited to ActiveSync connections only)
  • Windows 10 and 10 Mobile (for Azure AD joined devices that have enrolled in Office 365 MDM)

Compared to ActiveSync, Office 365 MDM requires more initial setup and configuration. MDM is not activated by default, and an APNs certificate needs to be acquired from Apple for supporting iOS devices. The APNs certificate must also be renewed each year to prevent MDM-enrolled devices from losing access. I’ve written about the Office 365 MDM process in this series of articles:

Microsoft Intune

Microsoft Intune is paid product that provides cloud-based mobile device and application management. Intune is available as a standalone license, and is also included in the Enterprise Mobility + Security (EMS) license. Intune has all of the capabilities of ActiveSync or Office 365 MDM but also offers a range of other features. Intune can be used to deploy business applications and application store apps to devices, as well as deploy configuration items such as certificates, VPN profiles and wifi network details. Web browsing from mobile devices can also be secured using the Intune Managed Browser app.

Intune also offers mobile application management (MAM) capabilities for preventing data being copied or saved from applications such as Word or OneDrive for business into other apps on managed devices. For example, you can allow users to download business documents using OneDrive, and edit them in the Word app on their device, but still prevent them from saving the file to their personal Dropbox app on the device.

Intune is not just for mobile devices, it can also be used to manage Windows PCs. Intune is also capable of operating in a hybrid mode with System Center Configuration Manager (SCCM) to unify the management of corporate on-premises and mobile/BYOD devices.

In an upcoming series of articles we’ll look closer at the capabilities of Intune and how to use it for specific scenarios.

The post Comparing Solutions for Mobile Device and Application Management in Office 365 appeared first on Practical 365.

The Fourth Edition of Office 365 for IT Pros is Nearly Here

May 29, 2017, 10:40 pm
$
0
0

I’m excited to announce that Office 365 for IT Pros, 4th Edition is nearly ready to be released. Assuming there are no last minute problems we’re expecting to release the new book later this week.

I wanted to give you this heads up because I know from feedback after previous releases that some of you need a few extra days to get approval for business purchases. If that is you, then here’s some information to help you with that process. For everyone else, this info should also answer the most frequently asked questions we get about buying or upgrading Office 365 for IT Pros.

Q: When will Office 365 for IT Pros, 4th Edition be available?

We’re expecting to have it available later this week. If you’re an email subscriber you will receive an email to let you know. The release will also be announced here on the blog, Twitter, and Facebook.

Q: What’s in the new edition?

Office 365 is a continually evolving and growing cloud service. The third edition of Office 365 for IT Pros has been updated regularly to adjust to those changes (full change log here), but structurally the book was losing alignment with the changes to Office 365’s services in a few key areas. A good example is the Office 365 Governance framework which has unified multiple, separate tools and capabilities into the Security and Compliance Center.

The new edition of the book has provided the opportunity to overhaul how those capabilities are covered, and better position the book for what will no doubt be a wave of further changes announced later this year at Microsoft Ignite.

In addition to the security and compliance changes, coverage has been expanded for important areas like Office 365 Groups, and the growing number of services that leverage Groups, such as Teams and Planner. There is also new content for Intune and Skype for Business Online, which have been among the most requested topics when we surveyed readers.

The cleanup has also allowed us to remove some obsolete material. Even so, the book has now grown to over 1000 pages, not including the separate bonus material that we also offer.

Essentially what you can expect to receive is the most up to date and comprehensive guide to Office 365 that is available anywhere.

Q: What is the price?

Office 365 for IT Pros, 4th Edition, will have the same pricing as the previous edition when purchased directly from Practical 365.

  • Standard Package – eBook (PDF + EPUB) + bonus PDFs, $39.95 (USD)
  • Premium Package – all of the above plus additional audio and video material, $49.95 (USD)

For a limited time we will be offering the above packages with a 20% discount.

For existing customers of Office 365 for IT Pros, 3rd Edition, you will receive an email with details of a discount upgrade offer. The emails will be sent when the new edition is ready for release. By upgrading you will receive the new edition plus ongoing updates to that edition. Updates to the 3rd edition will be ending after the 4th edition has been released.

Q: Will there be a Kindle version?

Yes. The Kindle version will appear in the Amazon Kindle Store in a few weeks. There’s some extra work involved, plus any delay in approval by Amazon.

The pricing for the Kindle version will remain the same. We are not able to offer a discount or upgrade to previous Kindle buyers due to the limitations of the Kindle store. If receiving upgrade offers in future is important to you then we recommend you purchase the PDF/EPUB version directly from Practical 365. The files are suitable for reading on a computer or tablet (I simply use iBooks my iPad, it works great).

We’re really looking forward to getting Office 365 for IT Pros, 4th Edition, out the door and continuing the work of maintaining and updating it in future. If you have any other questions that haven’t been answered here please feel free to ask in the comments below.

The post The Fourth Edition of Office 365 for IT Pros is Nearly Here appeared first on Practical 365.

Office 365 for IT Pros, 4th Edition is Now Available

June 1, 2017, 6:22 am
$
0
0

I’m pleased to announce the release of Office 365 for IT Pros, 4rd Edition. This new edition of the industry’s leading Office 365 book has been updated with the very latest changes and new features in Microsoft’s Office 365 cloud services.

For this new edition we had four primary goals:

  • Restructure the book to better align with the way that Office 365 services co-exist today
  • Add new material, including Skype for Business Online coverage by MVP Ståle Hansen
  • Improve the coverage in other areas such as Office 365 Groups, Teams, and Intune
  • Remove obsolete material such as deprecated features

With 26 chapters spanning more than 1000 pages, Office 365 for IT Pros is the perfect eBook for:

  • Consultants and sysadmins tasked with migrating an organization to Office 365
  • IT professionals expected to manage or support Office 365 services
  • Experienced IT professionals who may be tasked with supporting services in Office 365 that they previously did not support on-premises
  • Help desk staff required to support Office 365 services and clients
  • IT pros looking for practical, real-world material to complement their training

To celebrate this release we’ve got a special offer for you. For a limited time you can get 20% off the regular price of Office 365 for IT Pros, 4th Edition. You can find out more details here.

The post Office 365 for IT Pros, 4th Edition is Now Available appeared first on Practical 365.

What’s New in Office 365 for May 2017

June 5, 2017, 7:53 pm
$
0
0

I’m a few days behind on this roundup because we’ve been busy getting the new fourth edition of Office 365 for IT Pros out the door. Here’s what’s new and changed in Office 365 for May.

Microsoft Teams, the Slack-like persistent chat service for Office 365 which became generally available in March, has switched to a default of “On” for the organization-wide setting in the admin portal. Microsoft recommends the use of per-user licensing for Teams, and is planning to remove the org-wide control from the portal in the near future. You can manage licensing for your Office 365 users with groups-based licensing or by using PowerShell.

The Advanced Threat Protection (ATP) roll out for Office 365 ProPlus applications began for customers that are ATP licensed (E5 or standalone licensing). ATP Safe Links policies can now be applied to links in Word, Excel, and PowerPoint documents. When end users click a link in a document it is checked by ATP to see whether the link is a known malicious website and the user is blocked and warned of the threat. My Word docs started exhibiting this behavior back in April with a few initial hiccups, but it seems to have improved now. The Safe Links policies in the Security and Compliance Center (or via the Exchange Admin Center) now have additional settings for organization-wide settings, which includes the option to turn on Safe Links for Office 2016 on Windows.

More changes were rolled out for Office 365 Groups. Mail Contacts can now be added as members of Groups, simplifying the process of adding external guests to Groups. Tony Redmond has a write up of how this works, as well as a few quirks to be aware of. One of the caveats, at least for now, is that this doesn’t remove the requirement for distribution groups having no mail contacts in them before they can be converted to Groups. DL conversion to Groups is now available for admins and DL owners, but has a long list of eligibility requirements before a DL can actually be converted (e.g. must be a cloud-only group, that isn’t a security group, with no nesting, no forwarding, not dynamic, and more).

Groups are also getting a digest email for Group members to catch them up on communications they may have missed. The details on this are a bit vague so I’ll be interested to see it in action. From the info available it seems that you must be subscribed to the Group to receive the digest, which to me seems to be needless duplication (I’ll get the Group messages plus a digest of the Group messages?). If it is available as a separate option (e.g. I don’t want every message but I do want the digest) then that would make more sense to me, as would options to control the day/time the digest arrives.

SharePoint (and OneDrive for Business) are getting per-group sharing controls. First release tenants will start to see the new options in June, with other tenants to follow later. Currently we can control external sharing for the entire organization and at the site collection level. The new controls allow you to specify security groups that are allowed to share with external users, so you can lock down the organization-wide settings and then use the per-group settings to create exemptions.

SharePoint Online is also changing the email sending behavior for sharing emails. Previously all sharing emails were sent from no-reply@sharepointonline.com. This will change so that sharing emails for any user who has an Exchange Online mailbox will be sent using the user’s email address instead. The sharing email will also be saved in the user’s sent items folder. For users without Exchange Online mailboxes the no-reply@ behavior will continue.

For SharePoint and OneDrive mobile users a quality of life improvement is being implemented to increase the token lifetime from 14 days to 90 days. The longer session timeout is a welcome change for anyone who is getting tired of repeatedly logging in to mobile apps.

To improve the end user experience for OneDrive, which will probably increase adoption as well, Microsoft also announced OneDrive Files On-Demand which is coming for Windows 10 computers that have the “Fall Creators Update”, as well as mobile applications. Files On-Demand allows users who are connected online to see all of the files in their OneDrive, not just the files that have been synced locally. This is somewhat similar to the user experience when placeholders existed in OneDrive, and reduces local storage usage by allowing users to only sync their most important and frequently accessed files locally. When an online file is accessed it will be automatically downloaded to the local computer for access.

In Compliance Land, Office 365 eDiscovery is receiving several improvements. RMS decryption is now supported for eDiscovery results that are exported to MSG files. For customers licensed for Advanced eDiscovery, unified case management has removed the need to create separate cases in Advanced eDiscovery by allowing eDiscovery case information to carry over to Advanced eDiscovery. Advanced eDiscovery is also getting support for optical character recognition (OCR) to be able to recognize text in image files.

Microsoft announced plans for general availability of Microsoft Stream, the replacement for Office 365 Video. When Stream arrives in tenants Microsoft will begin a phased migration of existing Office 365 Video content into Stream. Existing links and embedded content will continue to work, so there is no action required. If you’re planning to begin using Office 365 for video content today, start with Microsoft Stream. Stream is enabled by default and can be managed with per-user licensing.

Exchange Online received an enhancement to mail flow rules that allows you to create rules for Direct to Calendar meetings, which bypass the invitee needing to accept (or reject) the message and instead will add it directly to their calendar. I can think of a few customer cases where all meeting requests originating from a particular user or application were deemed mandatory, or were always sent as tentative/info-only meeting requests, so this capability would be useful for those customers.

Microsoft Planner users have finally got a mobile app to use. The initial version of the app allows you to view and update plans on your mobile device, but not create new plans. That feature, as well as Intune support, are coming in the near future. Since Planner tasks don’t integrate with Outlook tasks, Microsoft now has two separate task management apps for mobile (Planner and To-Do).

The public preview of the Power BI Office 365 adoption content pack has arrived. We’re well past the stage of initial onboarding being the big hurdle for Office 365, and now it’s adoption of features that many organizations are focusing on to get value from their investment in Office 365. The Power BI reports let you see how your organization is using services like Exchange Online, Skype, Yammer, OneDrive, and SharePoint, as well as report on activations of licensed Office applications.

Image via blogs.office.com

Finally, usage reporting for Office 365 has been added to the Graph API as a preview. The individual usage reports that the Office 365 admin portal presents are useful enough, but many organizations want to pull that data into their own reporting or consolidate it into a single report. Now that the Graph API provides usage reporting data Microsoft has also announced that many of the PowerShell cmdlets currently used for that purpose have been deprecated, and will be retired in October this year. If you depend on those cmdlets for your custom reporting then it’s time you got into the Graph API instead.

The post What’s New in Office 365 for May 2017 appeared first on Practical 365.

        

Managing Projects with Office 365 Groups, Planner, and Teams

June 14, 2017, 5:58 am
$
0
0

With Office 365 Microsoft is on a mission to provide productivity applications to empower their customers to achieve more. One feature in particular, Office 365 Groups, goes a long way to achieving that goal.

Groups began as an Outlook collaboration feature that brought email communication together with file and note sharing.  Over time, Groups has also played the role of membership service to new applications such as Planner and Teams. As the integration between different applications has been established, the usefulness of Groups has grown.

Managing projects is one of the areas where Groups stands out. Project management in the Microsoft ecosystem has previously required the use of Microsoft Project or Project Server (or Project Online in the cloud services world). The Project suite of products has always come at an additional cost, and for smaller projects the cost isn’t always able to be justified. I’ve personally been involved in many internal and customer projects where the capabilities of Project would have been useful, but no budget was provided to pay for them.

With Office 365 Groups, Planner, and Teams, small to medium-sized projects get access to useful applications that help to manage the project without the additional cost. Here’s an overview of how Office 365 Groups can be used to manage projects.

Licensing for Office 365 Groups, Planner, and Teams

Office 365 Groups, Planner, and Teams are all included with Office 365 licenses that include Exchange Online and SharePoint Online. Today that means Business Essentials and Premium, and Enterprise E1, E3 and E5.

Let’s say for example that the following user accounts are already licensed for Office 365, and have Exchange Online mailboxes:

  • Jane Tulley, IT Operations Team Leader
  • Dave Bedrat, Senior Systems Engineer
  • John Dorey, Systems Engineer

The following user accounts are not already licensed for Office 365, and have Exchange on-premises mailboxes:

  • Alan Reid, IT Manager
  • Aaron Gardiner, Help Desk

To get the appropriate licenses assigned, the organization needs to assign Alan and Aaron an Office 365 license. This can be achieved using group-based license management, or you can also manage licenses with PowerShell, or you can do manual license assignment through the Office 365 portal.

Choosing a New vs Existing Office 365 Group

Both Planner and Teams can be used with an existing Group, or a new Group can be created for a new Plan or Team. When considering whether to use existing Groups or create new Groups, you should take into consideration:

  • Whether the people involved in the project aligns with an existing Group membership.
  • Whether the Group already has a Plan and Team attached that is used for other purposes (today Planner and Teams both have a 1:1 relationship with Groups, i.e. there can only be one Plan and Team per Group).
  • Whether the project has a life cycle that doesn’t align with the existing Group’s purpose.
  • Whether the project’s communications in email and Teams chat will clash with the existing communication running through that Group.

For most projects, it will make sense to create a new Group. A team that already has a Group might use that for micro-projects and general communication within their own team, but other projects with people from other areas of the company deserve their own Group.

When you create a Group you can invite all the project members, or add them later. The Group membership can change as the project moves through its different phases, and new members will gain access to all the previous conversations and information that the Group contains.

A Team is not automatically created for a Group, but you can attach a new Team to an existing Group.

However a plan is automatically created when the Group is created.

Using Planner for Project Tasks

Planner is a collaborative task management app, or as I like to think of it, a micro-project management app. When you create a Planner plan and add members to participate in that plan, each member can add their own tasks. However, only the managers of the Office 365 Group can edit the plan settings, or delete the plan entirely.

By adding tasks to Planner, the project team can see which tasks have been assigned to them, and when they are due to be completed. The project manager and other interested stakeholders can see project progress as well as conversations around individual tasks. It’s the type of dashboard view that managers love to look at, and with Planner they can check it any time they like without burdening the project team with requests for status updates.

With the Planner mobile app that is now also available, project team members can update their tasks from their mobile devices as well.

Using Teams for Communications

When you bring Teams into the picture the question needs to be asked, should you use Teams or Outlook for conversations during a project? The answer depends on the type of conversations that are taking place.

Broadcast communications to the entire project team, such as the summary of decisions made during a meeting, are well suited to email and are stored in the Group mailbox where they can be referenced later.

Real time conversations are better suited to the chat environment of Teams. The conversations are still preserved for historical reference, but are a little easier to read in their chronological order in Teams instead of needing to piece together email reply chains that can easily become fragmented as different people respond. Teams is also good for those members of the project team who don’t want to see email chains in their own inbox, but want to dip in and out of Teams to keep up to date on recent conversations.

Teams can also be used to host audio and video meetings, which is very useful for distributed teams. The Teams mobile clients also make it a useful real-time communication method for workers who aren’t at their desk. For example, a Help Desk officer providing post-migration desk side support to end users can chat with the rest of the team. Or a team member can provide remote support to others via Teams chat, instead of the comparatively slower conversations that occur over email.

Summary

Office 365 Groups, along with Planner and Teams, allows the users in an organization to spin up their own instances of collaboration, project management, and communications apps quickly and easily. Although Planner lacks some of the in-depth project management capabilities of Project, it is more than capable of providing task management for the type of small, simple projects that many organizations are constantly running.

There are still some rough edges that need polishing, however none of these are serious blockers at this stage. At least not for most organizations that I have dealt with.

There are some file storage inconsistencies between Groups, Planner, and Teams. In the Group view in Outlook, the files for individual Teams channels can’t be seen, but files attached to Planner tasks can be seen. The Teams client can see channel files, but not the files in the root of the document library that are visible in Outlook. However, all the files for the Group, Planner, and Teams can be viewed by opening the document library in SharePoint Online. Ideally that wouldn’t be necessary, but at least the workaround exists.

Planner integration with Teams is minimal. When you add a Planner tab to a Teams channel, it lets you view the tasks in the plan, but not anything else from Planner such as reporting views. Completing tasks in Planner doesn’t notify the channel, nor does it notify the Group manager. Ideally the option would exist for Planner activities to generate Teams notifications.

Adding a OneNote tab to Teams adds a section to the Group’s OneNote notebook, which is then visible when the notebook is accessed via Outlook. But you can’t add an existing OneNote section to Teams, you can only create a new one. Synchronization of content between Outlook and Teams is a little slow, but you’d probably only notice it if you quickly switched between the two. The OneNote tabs in Teams have no visual clues to differentiate them from other tabs. The same criticism exists for Planner tabs, but you can rename tabs to a more descriptive name after adding them.

Managing meetings in Teams is a little buggy. For meetings created in Teams you can’t invite the entire group as a single entry, which you can do in Outlook. Instead you need to invite each individual user. Selecting a meeting room also buggy, with room lists not working correctly. On the plus side, you can choose a Teams channel as the meeting location for IM or remote meetings.

The Office 365 road map has items in development to fix many of those issues as well as add more improvements such as guest access to Planner and Teams to allow collaboration with external users. But other than those few issues, the combination of Groups, Planner, and Teams is ready to provide good project management capabilities to many organizations today.

The post Managing Projects with Office 365 Groups, Planner, and Teams appeared first on Practical 365.

Search

Outlook for iOS/Android Still Able to Connect After Disabling ActiveSync

June 14, 2017, 7:29 pm
$
0
0

When an Exchange Online mailbox has the ActiveSync protocol disabled, you may find that the Outlook app for iOS and Android mobile devices is still able to connect to the mailbox to send and receive emails.

PS C:\> Set-CasMailbox dave.bedrat -ActiveSyncEnabled $false

The reason for this is the architecture of the Outlook app and the infrastructure it connects to. From TechNet:

Outlook for iOS and Android uses a stateless protocol translator component that is built and run in Azure. This component routes data and translates commands, but it doesn’t cache user data. The app is coded with the Outlook device API, a proprietary API that syncs commands and data to and from the app. Exchange Online data is accessed via the publicly available REST APIs. The protocol translator enables communication between Outlook and Exchange Online.

Image via TechNet

Even when ActiveSync is disabled the REST API is still accessible by Outlook. To block access to the REST API we need to use a different method. There are a few approaches that we can use:

  • A device access rule to block Outlook for iOS and Android. This is an organization-wide block and requires you to manually approve Outlook app usage on a per-user basis for anyone who still needs to use it, so it may not be a practical approach if you’re just trying to block one user from having any mobile email access.
  • A client access rule to block REST API access. Client access rules can be targeted at specific users but managing the target list over time could be cumbersome. This approach also blocks all REST API access for the targeted users, not just the Outlook app.
  • Block the Outlook app using an EWS block list. This is the approach I’ll demonstrate here.

As I’ve previously written here, EWS policies can be used to block or allow specific applications on a per-user or per-organization basis. If you want to block Outlook app usage for the entire organization then you would use an organization-level EWS block list. Since this example scenario is for a user who has had the ActiveSync protocol disabled I will stick to the per-user option. As a side note, if your Office 365 tenant has any “K” (kiosk) licenses then the organization-level EWS controls will not work, and you’ll need to use per-user EWS controls.

First, let’s take a look at the mobile device association that shows Outlook connecting to the REST API.

PS C:\> Get-MobileDevice -Mailbox "Dave Bedrat" | Where {$_.FriendlyName -like "Outlook*"} | Select DeviceModel,DeviceUserAgent,DeviceAccessState,ClientType
DeviceModel        : Outlook for iOS and Android
DeviceUserAgent    : Outlook-iOS/2.0
DeviceAccessState  : Allowed
ClientType         : REST

Next, let’s look at the EWS configuration for the mailbox.

PS C:\> Get-CASMailbox "Dave Bedrat" | Select *EWS*
EwsEnabled                 : True
EwsAllowOutlook            :
EwsAllowMacOutlook         :
EwsAllowEntourage          :
EwsApplicationAccessPolicy :
EwsAllowList               :
EwsBlockList               :

To block EWS access for the Outlook app we need to block the user agent. The iOS version of Outlook currently has a user agent of “Outlook-iOS/2.0” (shown above), and the Android version uses “Outlook-Android/2.0”. Earlier versions had a user agent of “Outlook-iOS-Android/1.0” for both platforms, so we can expect the user agent to change in future as the version number increments. As such, it’s best to use a wildcard in the EWS block list. The example below will block the original user agent, the current user agents for both platforms, and any future user agent strings that follow the same pattern.

PS C:\> Set-CASMailbox "Dave Bedrat" -EwsBlockList @{Add="Outlook-iOS/*","Outlook-Android/*"}

Another look at the EWS configuration for the mailbox shows the two user agents have been added to the block list, and the EwsApplicationAccessPolicy option is now set to EnforceBlockList.

PS C:\> Get-CASMailbox "Dave Bedrat" | Select *EWS*
EwsEnabled                 : True
EwsAllowOutlook            :
EwsAllowMacOutlook         :
EwsAllowEntourage          :
EwsApplicationAccessPolicy : EnforceBlockList
EwsAllowList               :
EwsBlockList               : {Outlook-Android/*, Outlook-iOS/*}

This change doesn’t take effect immediately. In my demo environment it took about 30 minutes before the Outlook app on my iPad stopped retrieving new emails. The access token life is 1 hour by default though, so you should expect it to take at least that long.

To reverse the block, remove the two user agents from the block list, and if there’s no more block list entries you can also null the EwsApplicationAccessPolicy.

PS C:\> Set-CASMailbox "Dave Bedrat" -EwsBlockList @{Remove="Outlook-iOS/*","Outlook-Android/*"}
PS C:\> Set-CASMailbox "Dave Bedrat" -EwsApplicationAccessPolicy $null

As one last point to keep in mind, the DeviceAccessState for the mobile device association won’t change from Allowed to Blocked when you use an EWS block list.

The post Outlook for iOS/Android Still Able to Connect After Disabling ActiveSync appeared first on Practical 365.

Help Test V1.02 of the Office 365 Groups Report Script

June 15, 2017, 12:57 am
$
0
0

The Office 365 Groups report script helps you track new, modified, and deleted Groups in your Office 365 tenant. When the script was first developed there was no method for recovering deleted Groups. That has since been added, along with the Azure AD PowerShell cmdlets to support it.

Right now the PowerShell cmdlet Get-AzureADMSDeletedGroup, which lists soft-deleted Groups that are recoverable for 30 days, is available in the AzureADPreview module. I’ve taken the opportunity to start updating the Office 365 Groups report script to include information about deleted Groups that are still recoverable.

The new script adds two pieces of information:

  • Newly deleted Groups are now listed with the time stamp for when they were deleted. Previously the script could only detect that the Group had been deleted since the last time you ran the script, but not provide a specific time.
  • Recoverable Groups are now listed in a section of the report, including the number of days until they can no longer be recovered.

I’m releasing V1.02 of the script as a beta for now, until the PowerShell cmdlets are released in the Azure AD module, and so that any bugs that come up in the real world can be fixed before then. If you are willing to test it for me and provide feedback, please download this zip file. You’ll also need to install or update the Azure AD Preview module on your computer so that you have at least V2.0.0.127. All other dependencies and usage instructions listed here still apply.

Any feedback from your testing is appreciated, and can be provided in the comments below or by raising an issue on GitHub.

The post Help Test V1.02 of the Office 365 Groups Report Script appeared first on Practical 365.

Microsoft Forms Arrives for Commercial Office 365 Tenants

June 15, 2017, 4:37 am
$
0
0

Microsoft Forms is an Office 365 app that allows users to build surveys, questionnaires, quizzes, and other data collection forms. Until now Forms has been focused on the education market, and as such has only been available to Education customers in Office 365.

A recent addition to the Office 365 road map indicates that Forms is on its way to commercial tenants as well, noted as a Preview.

Today as I poke around the admin portal I’ve discovered that Forms has arrived for all of my tenants. My Message Center has no notices about it, nor does the official Office 365 blog. Perhaps the roll out has just begun and the announcements are forthcoming. Update: a Message Center notice has now appeared in my tenant, and refers to this Forms release as a Preview.

There’s nothing in my admin portal or in the Forms app itself to suggest this is a Preview, it actually looks like a GA release to me.

As with all new Office 365 features, Forms is enabled by default. It’s a useful app, but an immediate concern for some organizations may be the external collaboration feature, which is also enabled by default. You can find this setting in the Office 365 admin portal under Settings -> Services & Add-ins.

Obviously Forms is well suited to external data collection, such as running marketing surveys or collecting registration information for events. That’s where the trouble begins for some organizations though, with concerns over the type of data collection that their users might try to use it for, and where that data is subsequently stored. It would be bad if a user unwittingly designed an event registration form that collected credit card details or other sensitive information. The control above only limits external collaboration though, not external responses, so if you’d like to be absolutely sure that none of your users start collecting external data you’ll need to disable Forms entirely for them.

As an on-by-default feature, you need to disable Forms by managing licensing. Forms now appears in the per-user licensing options in the Office 365 admin portal.

Forms is also available as an option in Azure AD group-based licensing, if that is how you’re managing your licenses.

It’s good to see Forms finally show up in commercial tenants. I run a lot of surveys myself, so I’ll be exploring it with interest. It just would have been nice to get notified of its arrival. Update: My Message Center has been updated with a notice about the Forms Preview release.

The post Microsoft Forms Arrives for Commercial Office 365 Tenants appeared first on Practical 365.

Controlling Third Party Cloud Storage Access for Microsoft Teams

June 26, 2017, 5:58 am
$
0
0

Microsoft Teams now has the ability to connect to external cloud storage providers such as Dropbox and Google Drive. This change is rolling out to Office 365 customers now, and is enabled by default.

Microsoft takes a reasonably open approach to third party integration with their apps these days, especially cloud storage apps. The reality of course is that Microsoft’s own file storage solution, OneDrive for Business, has a patchy reputation for reliability and functionality, which means a lot of Office 365 customers ended up using third party services for file storage. Naturally Microsoft would like those customers to make use of Teams and other Office 365 apps, so integration is necessary. OneDrive for Business also has different use cases than other services, for example Dropbox works well for small teams as a file server replacement without a lot of complexity involved in setting it up, whereas OneDrive is a sync client that works with SharePoint-based stores which require more expertise to set up. Simply put, there’s a lot of non-Microsoft cloud storage usage out there, and integration with Teams helps it compete with other team chat apps.

For the end user, the option to add cloud storage is available in the Files tab of a Teams channel.

The user is prompted to authenticate to their cloud storage provider, such as Dropbox.

After adding a folder from cloud storage, the files will be accessible in Teams for any user who can authenticate to the same storage server and who has access to those files. For example, if Dave Bedrat adds a Dropbox folder to the IT Operations team, other team members such as Jane Tulley can’t access the files with their own Dropbox credentials if Dave has not shared the folder with them.

After the files have been shared and accepted in Dropbox they will be accessible by Jane in Microsoft Teams.

For organizations that do not want to allow access to cloud storage services there are controls available in the Office 365 admin portal. Navigate to Settings, Services & add-ins, and open the Microsoft Teams settings. You can disable some or all of the storage services here. It’s possible that in future other storage services will be added to Teams, so keep an eye on your Message Center notifications so that you can revisit these settings again in future when necessary.

In my testing the change took about 30 minutes before the Teams clients lost access to the options to add third party cloud storage to their channels. The Dropbox folder remained visible in Teams, but could not be opened. The only option available was to delete it.

The “Delete” button should probably be renamed to “Remove” since that is what it really does. The folder contents themselves are not deleted, and the dialog that pops up to confirm uses the word “Remove” which is a better description of what is happening. The user is also told they can add it back any time, even if all of the cloud storage options are disabled by an administrator, which is a bit misleading but probably won’t cause many issues.

If you decide to turn off cloud storage for Teams, and there’s a chance that your users are already making use of the feature, then you’ll need to plan how to communicate the change. Teams itself doesn’t surface any reports to indicate who is using what, so there’s no easy way to find out who is already using cloud storage. If your organization is already using Cloud App Security to discover app usage then that might give you some clues. Otherwise, you’ll just need to come up with the best communication plan that suits your organization.

The post Controlling Third Party Cloud Storage Access for Microsoft Teams appeared first on Practical 365.

June 2017 Updates Released for Exchange Server

June 27, 2017, 10:30 pm
$
0
0

Microsoft has announced the latest quarterly updated for Exchange Server 2016 and 2013.

For Exchange Server 2016 this release includes the following improvements for on-premises customers:

Those changes do not apply to Exchange Server 2013. From Microsoft’s blog post:

These features are targeted to Exchange Server 2016 only and will not be included in Exchange Server 2013. Exchange Server 2013 already has its own implementation of Sent Items Behavior Control which is different than the version we are releasing today. The Cumulative Update 6 behavior is more closely aligned with how this worked in Exchange Server 2010. Due to architectural differences, the configuration of this feature is not retained if mailboxes are moved between Exchange Server 2010 and Exchange Server 2016 or between Exchange Server 2013 and Exchange Server 2016.

Microsoft also shared progress on two other matters:

  • Support for TLS 1.2 is described as “improved”, but Microsoft is not ready to recommend deprecating TLS 1.0 and 1.1 yet.
  • .NET 4.7 compatibility testing is progressing well with no issues found so far, but they are not ready yet to declare .NET 4.7 supported for Exchange servers.

ADDITIONAL INFORMATION

The post June 2017 Updates Released for Exchange Server appeared first on Practical 365.

        
Viewing all 543 articles
Browse latest View live
Search

Latest Images

7 clever tricks Primark does to keep you walking & buying more than you need...

7 clever tricks Primark does to keep you walking & buying more than you need...

July 20, 2025, 5:14 am
Art for Everyone! Autism advocacy, local stories, and indigenous pride in one...

Art for Everyone! Autism advocacy, local stories, and indigenous pride in one...

July 20, 2025, 5:06 am
Paintings of English Downs 2

Paintings of English Downs 2

July 20, 2025, 4:30 am
How Kerala Women Rescued a Dying Forest and Turned It Into a Safe Haven for...

How Kerala Women Rescued a Dying Forest and Turned It Into a Safe Haven for...

July 20, 2025, 3:30 am
Met Eireann warns of heavy rain & spot flooding for DAYS before big...

Met Eireann warns of heavy rain & spot flooding for DAYS before big...

July 20, 2025, 1:14 am
Who is Kevin Lerena’s wife Geraldine?

Who is Kevin Lerena’s wife Geraldine?

July 20, 2025, 12:57 am
Man stabs woman, baby to death inside Queens home, police say

Man stabs woman, baby to death inside Queens home, police say

July 19, 2025, 11:00 pm
Ang papel ni whistleblower Julie Patidongan sa kaso ng mga nawawalang sabungero

Ang papel ni whistleblower Julie Patidongan sa kaso ng mga nawawalang sabungero

July 19, 2025, 9:45 pm
Telangana Human Rights Commission (TGHRC) seeks report from revenue dept on...

Telangana Human Rights Commission (TGHRC) seeks report from revenue dept on...

July 19, 2025, 7:29 pm
Crisis-hit NHS fat cats raking in MASSIVE salaries as frontline services cry...

Crisis-hit NHS fat cats raking in MASSIVE salaries as frontline services cry...

July 19, 2025, 2:11 pm